Tor security advisory: Old Tor Browser Bundles vulnerable
An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.
This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:
- 2.3.25-10 (released June 26 2013)
- 2.4.15-alpha-1 (released June 26 2013)
- 2.4.15-beta-1 (released July 8 2013)
- 3.0alpha2 (released June 30 2013)
Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.
Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…
I also saw this message pop
I also saw this message pop up. A little research reveals.
The latest tbb comes with HTTPS-Everywhere 3.2.2.
tbb has "update Add-ons automatically" selected by default so it gets updated to the latest version.
Latest version of HTTPS-Everywhere shows changes to code
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrom…
In response to this ticket
https://trac.torproject.org/projects/tor/ticket/8776
It looks like this is normal behavior.
Yes.
Yes.
I got this message too! Am
I got this message too! Am not sure i was visiting an FH site atm.
Was the update official or it was an attack? I even clicked it. I use FF 17.0.7 ESR on Win7 64bit.
As a translator of HTTPS
As a translator of HTTPS Everywhere, I have seen and translated that very string, so it is an official part of the HTTPS Everywhere extension. It is not related to any exploit. It is not put there by any website one visited.
Sorry if this has been asked
Sorry if this has been asked already, but I only downloaded the Tor Browser Bundle a few days ago, so I presume I had the latest browser version, 17.07. I just checked, and Javascript was enabled.
For non-Tor browsing, I use Firefox 22.0. Am I safe from this exploit?
We think so.
We think so.
So my Kaspersky marked
So my Kaspersky marked malware in this file "C:\Documents and Settings\-name-\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22" and even labeled it "exploit, is this the same exploit?
Java? Sounds unrelated.
Java? Sounds unrelated.
Would running Tails with
Would running Tails with Iceweasel 17.0.7 in VM within windows be safe from the attack as well?
I would say that is VERY safe
I would say that is VERY safe
Yes. Even safer than on
Yes. Even safer than on normal Windows.
Anon: "Would running Tails
Anon: "Would running Tails with Iceweasel 17.0.7 in VM within windows be safe from the attack as well?"
arma: "Yes. Even safer than on normal Windows."
Huh? Run Tails on Windows? How is that even possible /other/ than within a VM?
For me it sounds like "safer
For me it sounds like "safer than use TBB on Windows".
NSA
NSA RESPONSIBLE:
http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted…
Not that I'm saying it's
Not that I'm saying it's wrong, but I'd like more details than "somebody knows somebody else who has some database that said this netblock was once the NSA's".
domaintools.com shows the
domaintools.com shows the exploiter's server IP (65.222.202.53) belongs to the government contractor SAIC. They do work with NSA but also many other government agencies (source: I used to work for them!). The link in that article to the robtex.com page (pop.robtex.com/nsa.gov.html#records) doesn't seem to include that IP. So I can't see how they know it's been "assigned" to NSA. But that it's linked to SAIC means it likely is some kind of U.S. government project.
When did the attack take
When did the attack take place? i.e. When did they start using the java exploit?
"java exploit" JavaSCRIPT
"java exploit"
JavaSCRIPT not Java!
Can Torproject please fix
Can Torproject please fix the check.torproject.org page that incorrectly informs users of 10.0.12 they are up to date? People who rely on that version check won't know to update.
Might this be a bug in
Might this be a bug in whatever ANCIENT, LONG-DEPRECATED version of TBB has Firefox 10.0.12 ?
I last used Tor in early
I last used Tor in early May, never did anything illegal but I probably visited a FH site if the whole 50% of the sites are hosted by FH is true. Have you got any ideas/guesses on a time frame for the attack?
Time frame was "a few days
Time frame was "a few days ago".
Also, the notion that half the hidden services were hosted by FH is likely bunk. Of course, they're hidden so it's hard to produce a concrete number.
Of all the sites hosted by
Of all the sites hosted by Freedom Hosting, how many were/are dedicated to scabrous material involving underage subjects?
bunk? In this case, I'd say
bunk?
In this case, I'd say it's more likely poppycock.
This TOR exploit thingy. It
This TOR exploit thingy. It supposedly gets your ip but what if you're on a home network behind a router? Will it grab the ip of your computer on that network, like 192.168.x.x?
It grabs your hostname (e.g.
It grabs your hostname (e.g. "John's PC"), your MAC address (the local hardware address), and then it sends those plus a unique number to the remote website. It's that last step where the attacker can learn your public IP address -- and where a firewall sure would be helpful, to block outgoing non-Tor connections (like how Tails does it).
The firewall wouldn't help
The firewall wouldn't help with this exploit, because the malicious assembly code executes within the TorBrowser process space (the firewall would think it's the tor browser and let it through).
There is no reason to let
There is no reason to let the Tor Browser process (or indeed, any process run by that user) speak to the Internet.
Is it another process
Is it another process (vidalia?) that actually makes the internet connection? If so, yes a firewall blocking tor browser outbound would be a really good idea. I was assuming Tor Browser itself makes the connection.
No, it's a program called
No, it's a program called Tor. You might have heard of it. :)
So to prevent future
So to prevent future exploits of this type, could torproject maybe show downloaders how to set the Windows firewall properly to block all outgoing connections (it allows all by default) except allow tor.exe and the user's other trusted programs? And mention if a window ever pops up to allow tbb-firefox.exe to connect outbound (i.e. some exploit is running) to always deny it? Users who understand that would pretty much be safe from any future exploits like this, I'd think.
Maybe? We're all bad with
Maybe? We're all bad with Windows, so it would be great if somebody would volunteer to work on this.
(The other answer is to run Tails in a VM on Windows, if you really need to be running Windows in the first place.)
Wait, how does it get your
Wait, how does it get your ip from the hostname, MAC and the unique number?
"and then it sends those
"and then it sends those [...] to the remote website. It's that last step where the attacker can learn your public IP address"
It sends them outside of TOR?
It sends them outside of TOR?
Yes. (Read the advisory.)
Yes. (Read the advisory.)
Hi, Once again sorry for
Hi,
Once again sorry for being redundant, but I thought I would ask a broader question hoping that it would answer a lot of questions.
If someone had Windows 7, Tor Browser Bundle 2.3.25.10 with Firefox 17.0.7 ESR, but NO SCRIPT set to "Allow ALL globally", would my Mac address and Ip address have been revealed by this "iFrame picture" exploit?
Also is the Mac address that is revealed, my MOTHERBOARD'S network jack address OR my internet service provider (ISP)'s Router modem?
Thanks
No, the exploit was fixed in
No, the exploit was fixed in 17.0.7. (And for those with earlier versions who were exploited, the MAC address would be your computer network adapter's).
17.0.7 means this exploit
17.0.7 means this exploit won't work, full stop.
As for which mac address, if I'm reading the exploit right, it is your first local address -- so if your Internet connection is through an ethernet connection on your motherboard, it's probably that.
One question .. I have the
One question .. I have the ESR version 17.0.7 I installed on June 26, but I dont have the alpha version 3, I have tor 0.2.3.25, and I visited pages of Freedom Host (With Javascript, Disabled Globally). yesterday i visited Tormail, and I saw the message "Sorry Close for maintenece" (with javascript Disabled globally) that means the exploit worked? or I am at risk? please Help - thanks in advance
You are totally safe. Cant
You are totally safe. Cant you read the information above???
People these days are really
People these days are really fascinating, they seem to work like this: Don't want to invest (time for reading) anything but want to get (a prompt personal answer on a silver dish) everything - I CAN HAS PLZ???
The vulnerability was fixed
The vulnerability was fixed in firefox 17.0.7 esr and you had javascript off anyway. So you are not at risk.
arma, thanks for all your
arma, thanks for all your updates and comments, even if it's "we don't know." Frequent communication is always good!
So if one had turned off
So if one had turned off javascript on ones pre v 17 browser, that would have stopped the exploit from executing?
Do we know 17.0.7 actually
Do we know 17.0.7 actually blocks this? Has somebody tested it against this particular exploit? I know as a programmer myself we like to indicate a bug is "fixed" but it really needs to be tested by others.
Yes -- see Dan's blog post:
Yes -- see Dan's blog post: https://blog.mozilla.org/security/2013/08/04/investigating-security-vul…
why people keep saying
why people keep saying Firefox ESR 17.0.7. is not effected
Firefox ESR 17.0.7 [3] is not effected notice the 3
The [3] is a note number
The [3] is a note number used on the Tor security advisory page.
Any law experts around?
Any law experts around? Assuming this illegal exploit worked, what could they do with the IP list? Is a couple random visits to FH sites (like, exploring hidden wiki links) enough to warrant raids? Just wondering what exactly was the purpose of this illegal exploit, because clearly not all affected are guilty, even if they did visit some of the illegal sites once or twice by mistake or due to curiosity. A raid on them would destroy their lives nevertheless.
Can this list be used against international citizens? Would international agencies accept tips obtained this way? How can the list of addresses be used as evidence, if external, malicious executable code ran on the target PC's, one could easily argue that a version of this code could entrap people by opening illegal sites in the TOR browser. The code did change multiple times, did it not? And parts of it are not yet obtained.
Isn't the entire premise of this attack - pointless? Apart from branding all TOR users as molesters in the news due to sensationalist titles of course, so that people stop using it and the NSA/CIA/FBI has an easier task to play the Big Brother on everyone.