A Tor executive has confirmed that a zero-day vulnerability impacting Tor and Firefox has been spotted being used to execute malicious code, but it has been reported to Mozilla, according to ARS Technica.
The issue was first posted to the Tor website by a user, but Tor co-founder Roger Dingledine confirmed that the issue is real and has been reported Mozilla.
“I pointed some folks on irc to this mail, and Daniel Veditz (Mozilla Security Team) said "the Firefox team was sent a copy of that this morning. We've found the bug being used and are working on a patch." Dingledine said on Tor, adding once a Firefox patch is issued, which are expected shortly, the Tor browser will follow suit with its own patch.
Security researchers questioned by ARS said the code “exploits a memory corruption vulnerability that allows malicious code to be executed on computers running Windows.”