CVE-2016-9079

What Is Mozilla Firefox / Tor Browser?

Mozilla Firefox is one of the world's most widely used web browsers, with hundreds of millions of users. The Tor Browser is a hardened Firefox variant that routes all traffic through the Tor anonymization network — used by journalists, activists, privacy advocates, dissidents, and others requiring anonymized internet access. Tor Browser is based on Firefox ESR (Extended Support Release) with additional privacy patches and Tor integration.

SVG (Scalable Vector Graphics) is an XML-based format for vector graphics that Firefox renders natively. Firefox's SVG implementation includes an animation engine (SMIL — Synchronized Multimedia Integration Language) that animates SVG elements over time. The animation engine's object lifecycle management has historically been a source of use-after-free vulnerabilities.

Overview

CVE-2016-9079 is a use-after-free vulnerability in Firefox's SVG animation engine that was exploited in the wild to de-anonymize Tor Browser users on Windows — disclosing their real IP addresses to a remote server. Mozilla issued emergency patches (Firefox 50.0.2, Firefox ESR 45.5.1, Tor Browser 6.0.7) on November 30, 2016, explicitly acknowledging confirmed in-the-wild exploitation in MFSA2016-92. The CVSS reflects confidentiality-only impact (C:H, I:N, A:N) because the observed exploit was used for information disclosure (IP address extraction) rather than arbitrary code execution — though the UAF could theoretically enable code execution. CISA added CVE-2016-9079 to the KEV catalog in June 2023.

Affected Versions

Technical Details

Root Cause: SVG SMIL Animation Use-After-Free

CVE-2016-9079 is a use-after-free (CWE-416) in Firefox's implementation of SVG SMIL animation. The SMIL animation system animates SVG element properties over time, managing animated objects with references to SVG DOM elements. A specific sequence of SVG animation operations — likely involving animated element removal while an animation timeline still holds a reference to it — causes Firefox to free the underlying SVG object while retaining a live pointer to it. Accessing the stale pointer through the dangling animation reference provides read access to freed heap memory.

De-anonymization exploit mechanism: The exploit observed in the wild was specifically designed for Tor Browser de-anonymization, not general code execution:

1. Victim visits attacker's Tor hidden service page — the exploit payload is embedded in a page served over Tor
2. SVG UAF triggers — the exploit accesses the freed SVG object to read heap memory contents
3. Windows-specific exploit — the payload targeted Windows; it executed JavaScript that called window.location to a file:// URI or used Windows-specific API access to reveal system identifying information
4. Real IP disclosure — the exploit used the memory access to determine or reveal the victim's real IP address and system information (hostname, MAC address), then sent this data to a remote collection server bypassing Tor routing
5. Tor anonymization broken — the collection server (outside Tor) received the victim's real IP, de-anonymizing them

The exploit required no user interaction beyond visiting the malicious page (hence UI:N in the CVSS), and operated silently.

Emergency Out-of-Band Patch

Mozilla released Firefox 50.0.2 outside its regular release cycle on November 30, 2016 — an emergency patch responding to confirmed in-the-wild exploitation. Mozilla's advisory explicitly acknowledged: "An exploit built on this vulnerability has been observed in the wild targeting Firefox and Tor browser users on Windows."

Attack Characteristics

Discovery

The exploit was discovered being used in the wild against Tor Browser users. Mozilla issued an emergency patch after receiving information about active exploitation. The exploit's sophistication and targeting of Tor users specifically suggested a law enforcement or intelligence agency operation.

Exploitation Context

• Tor de-anonymization operation: The use of CVE-2016-9079 against Tor Browser users is consistent with law enforcement or intelligence agency techniques for identifying Tor users accessing hidden services; the exploit was embedded in a page served over Tor, targeting only Windows users — suggesting a targeted operation against a specific Tor-accessible site and its visitors
• Tor Browser as a hardened target: Tor Browser implements additional security measures beyond standard Firefox (disabled JavaScript options, no Flash, NoScript) that make exploitation harder; the SVG animation UAF was a bypass of these protections because SVG animation is not disabled by Tor Browser's default "High Security" setting
• Windows-specific payload: The exploit targeted Windows Firefox/Tor users; Mac/Linux users were not affected by the specific payload even if the underlying UAF existed in those versions — suggesting the payload used Windows-specific techniques for IP disclosure
• CISA KEV (2023): Added June 2023 based on confirmed exploitation in the 2016 de-anonymization campaign

Remediation

1. Update Firefox — install Firefox 50.0.2 or any subsequent Firefox release via the Firefox auto-updater or Mozilla's download site. All current Firefox versions include this fix.

2. Update Tor Browser — install Tor Browser 6.0.7 or any subsequent release from the Tor Project; current Tor Browser releases include this fix.

3. Update Thunderbird — install Thunderbird 45.5.1 or any subsequent Thunderbird release.

4. For Tor Browser users — enable High Security Mode — Tor Browser's "Safest" security level disables JavaScript and SVG features that could be exploited; this mode would have prevented CVE-2016-9079 exploitation. Enable via the Tor Browser Security Settings icon in the toolbar.

5. Keep browsers auto-updated — configure Firefox auto-update to ensure emergency patches are applied within hours of release, not days or weeks.