Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb

Oh, I forgot, that's all besides the fact that you were running an OUTDATED, DEPRECATED version of TBB that had been replaced over a month ago!

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

Does running TBB from a Windows based VM protect the host machine MAC address? Only the randomly generated VM MAC could be revealed by this exploit?

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

So nobody has any idea if users of versions lower than 17 are affected, like version 10 for example, because nobody knows what was in content1_html. Why is that not mentioned in the article or in any articles for that matter? Why is this not investigated? There could have been another exploit, different from this one in that page, one that still works in the latest version.

javascript is the real issue. Yeah, it would be great if the exploit only works on v17 (for those using older versions), but if you had javascript disabled, probably doesn't matter which version one used. More data is needed.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

Not to be paranoid but how do we not know that old Tor versions are safe and the new versions are actually planted with back doors ?

Well, you know that older Tor versions aren't safe: we give you detailed release notes for all stable releases:
https://gitweb.torproject.org/tor.git/blob/HEAD:/ReleaseNotes

As for whether newer versions have backdoors, see for example
https://www.torproject.org/docs/faq#Backdoor
https://blog.torproject.org/blog/calea-2-and-tor
for some discussion of why it would be unwise for us to put backdoors in.

And if you want to be extra careful (besides reading all the source code of course), check out Mike's recent work on deterministic builds:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD…

It's open source, Get the code. Read it for yourself and see what it's doing. Reproduce the build environment and build it on your own machine.

If you don't know how to do any of that, learn.

The biggest threat to anonymity and online safety is ignorance,

Have /you/ carefully checked through all of the code for all of the software that you use?

Are you even sure that, should there be anything suspicious in the code, that you would recognize it?

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

Browser versions less than 17 WERE exploited by this. It checks the version and if less than 17 redirects to content_1.html. Does anybody know the contents of that file?

Exactly, there is a lot of misinformation being spread on all official channels. Every expert review I've read so far specifically talks about version 17 being the only one targeted and affected. But that is clearly not the case if you read the code. Versions 0-16 inclusive are subjected to content_1 payload.

content_1, that nobody has seen so far, could have calls to content_4, 5, 6.. and do a lot more than just report the IP. I wonder why it was never obtained? And why is every news source trying to hide it's existence? Can it not be obtained the same way content_2 and 3 was?

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

If my browser was safe but I had a separate instance of FF open elsewhere, can the malicious javascript bleed through and phone home to the FBI from there?

Can Javascript jump from one open browser to another or is that off the table?

- Just seeking clarification on all of the possibilities and I promise I'm only asking this once! -

In a correctly behaving browser, Javascript shouldn't be able to jump between browsers.

In a vulnerable browser, somebody could have written an exploit to take over your computer, and from there it could mess with any other running (or not yet running) applications.

Since malicious client side scripts have no direct access to the underlying filesystem or OS of the client, they can not be transmitted across browsers.

However, if you have malicious bookmarks or addons installed and voluntarily transfer them, perhaps in ignorance, then the other browser is also vulnerable.

And it depends if "malicious scripts installed" are at an OS level, or at a browser level. If something infects your OS, any application is vulnerable.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

So, with a older version of TBB with javascript disabled and ex on linux, a user would not be affected by this?

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

Did the TBB notify on the start page of an update if you where running Firefox ESR 17.0.6 when 17.0.7 was released?

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

Any knowledge as to whether EMET would have prevented the exploit from running? Nobody has talked about this but the enhanced mitigation features are useful under Windows and should be common practice.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

i have to repeat the same message as a follower above:
on 30 july or 1st august i received this message as a sub-bar:

In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values

what does it mean i shoulb be worried? it seems i use 1.7.6 version but with javascript off. the rest of browser is on default mode. did that "crucial fix" something wrong? it is known for sure that only javascript ON affected people and nothing else?

Did that bar pop up when you visited a know infected site? Or was it randomly some other time?

People know it affected us through Javascript, because specifically it was a Javascript attack when visiting those sites. Events happened in the order of

1. Visit infected site
2. Malicious Javascript code awaits you, it attempts to launch!
3. Blocked/Detected/Affected

Not sure about the crucial fix playing out on this stage. Seems unrelated.

hey. i really cant remember when that subbar shows up, if i tried to access a site or suddenly doing other thing. certainly is this was in tor, not in mozilla because i use chrome for clearnet. i had c/p that message on google and i can only find it on twitter on a enginner computer guy. it amaze me that this nobody else noticed than fellow above. it has appeared absolutely the same it was rerwritten by me now. does tor ever sent subbars like that?
thing is i did nothing on that because i didnt even know what was happening at that moment, nobody knows. 30 or 1 aug. very strage.

all i want to know if this was sent from TOR or because of this exploit. and if is because of malware, i should be calm using 17.6 at that moment with javascript off and a pretty old TBB(2-3 months)? i am very "lucky" day by day.. it seems legit why almost only me received that....

No, I saw the same message a couple of days ago and I was prodding around FH to see what was going on but noscript was always on. Thing is, I updated my TBB today to 17.0.7 and the message reappeared after the second launch of TBB. It says "to implement a crucial fix https has reset to default rules" or similar. This is 64bit linux.

A few days ago I also had this bar showing up. IIRC it was displayed as soon as the browser started and visited the check.torproject.org page. I also made screenshots of this event.

Quoting the poster before me: all i want to know if this was sent from TOR or because of this exploit. and if is because of malware....

That is what I wish to know too. Was the message "In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values" sent by Tor?

I was using the latest version of TBB at the time when I received the above "crucial fix" message but with JavaScript enabled.

What I did next was to delete the TBB, re-downloaded the TBB from Tor's official website and re-launched the Tor browser.

I also ran a complete scan of my PC using the latest anti-virus software.

For Tor developers and people who are interested in investigating further whether the website has been infected with the JavaScript exploit, please surf to http://sammyboy.com

That is the website that forced my Tor browser to reset HTTPS Everywhere set of rules.

I am the first person who posted the "HTTPS Everywhere" crucial fix message.

In answer to your questions:

1. Did that bar pop up when you visited a know infected site? Or was it randomly some other time? I am unable to answer this question as there is no way for me to tell whether the site that gave me the "crucial fix" error has been infected or not.

2. At the time I received the "crucial fix" message, I was already using the latest version of TBB but with JavaScript enabled.

im paranoic i please OP to respond. was this message from tor browser or tricky scheme of infected sites i visited?
eearly this year i made $16 each donations on every service i love which is ad block, umusic and tor. i didnt expected this coming!!! please respond to my inquierii

I read that the sub-bar was one of the indicators that the exploit had been run on your browser. Sorry, you might want to nuke your hard drives :(

Why not make an official post reassuring people about the HTTPS-Everywhere pop-up in question. Many people, myself included, were/are obviously concerned. Wasn't that only reasonable and to be expected?

I'm using HTTPS everywhere on two another browsers (one on Windows and one on Fedora) which are not being used for tor browsing at all, and received the same message on both recently. Probably it was part of the last update of the extension.

I got that popup after getting the newest TOR bundle today. I disabled JS and all the other things and did not visit the infected sites on this new bundle. It's most likely unrelated.

me too.. installed the new bundle, disabled javascript, visited only hidden wiki and this blog. after system restart and opening tor i see the same message on my firefox.