# FF 17 vulnerability

## wolfieh

There was a recent Tor attack that used a Firefox 17 0day (current stable in gentoo). Someone should do a version bump on it.

http://www.twitlonger.com/show/n_1rlo0uu

----------

## eccerr0r

Ouch, probably should put a high priority bugs.gentoo.org security bug.   Not good.

The only saving grace (which is NOT security) is that it appears to be targeting Windows...  But don't breathe easy because of it, it's easy enough to change it to Linux.

----------

## broken_chaos

According to the bug reports filed over at Mozilla, this is already fixed in 17.0.7esr. The Tor Browser Bundle people just didn't update their released version (edit: or, if they did, they broke the fix, or many of their users failed to update). Long story short, when a security update is released, people who rebundle and make use of the code/program in some capacity should probably apply the update ASAP themselves.

https://bugzilla.mozilla.org/show_bug.cgi?id=901365#c23 (the Tor-specific bug report) and http://www.mozilla.org/security/announce/2013/mfsa2013-53.html (the probable security advisory which related to the exploit).

(This also means that anyone who keeps Gentoo up to date is immune. 17.0.7 is in stable and has been for some time.)

----------

## eccerr0r

Ah so this is not a true 0 day as it appears the discoverer mentioned it didn't work on latest or something like that...  Untested against 17.0.7 which is fine, so I guess things are hunky dory.  It is weird that 17.0.7 has been released for quite a while and they didn't grab it.  Oh well.

17.0.7 is timestamped at the end of June in portage so most people should have it by now.

----------

## broken_chaos

 *eccerr0r wrote:*   

> It is weird that 17.0.7 has been released for quite a while and they didn't grab it.

 

I looked into it and apparently there was a 17.0.7-based TBB released late June. Either they didn't implement the fix properly or, more likely, many of their users just weren't very diligent at updating.

----------

