Tor security advisory: Old Tor Browser Bundles vulnerable

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Hi, quick question If I had

Hi, quick question

If I had version 17.05 but NoScript set to block all scripts globally, would that still make me vulnerable?

Thanks in advance.

No, the exploit requires

No, the exploit requires Javascript to work. If Javascript was disabled, as it should have been in the first place, there is no chance it could have worked.

It is impossible to confirm

It is impossible to confirm that patched users of 17.0.7 were immune to the data mine.

For TBB 2.3.25-10 (17.0.7), which is what most of us are currently using, the exploit was fixed and delivered on or about June 26 (assuming you patched).

The exploit was REPORTED to have been executed in early August, so most with 17.0.7 would assume they are safe, however..

How do you know the exploit was not happening before June 26 ???

You do not.

Although it was patched on June 26, it may well have been happening for quite some time before that. Quite some time before you all updated to 17.0.7. Happily collecting your data, waiting for it's presence to be discovered by someone ('Nils' on June 25).

Yes you are safe NOW from this particular exploit if you have 17.0.7, but there is no way Mozilla/TOR can confirm you were not compromised before June 26.

If you did access a FH site before June 26, I think it would be safe to assume there is a significant chance your IP/Host/MAC is on file and currently being 'processed'.

I am not here to panic you. I am just thinking through this logically.

Sources on the reported

Sources on the reported exploit execution dates, please? I've read over a dozen news stories and forum threads on different sites about this, but so far i haven't seen much if any speculation regarding exact dates outside of this blog.

On a related sidenote, i understand most or at least many people who were subjected to this exploit experienced a browser crash. One would think these crashes would have been reported during all of July if the exploit had been in effect "silently" from way beyond the fixed update on the 26th of June. Have there been numerous unexplainable crash reports before this week/last weekend?

I have an interesting

I have an interesting question. did anybody experience a crash who is sure they had javascript disabled? is it proven that only having it enabled could cause the browser to crash? I wonder if theres a possibility the browser could be comprimised and crash using iframe if enabled and/or something else even with javascript disabled.

There are a bunch of bugs in

There are a bunch of bugs in Firefox that can cause unrelated crashes. They're not particularly common, but once you have many hundreds of thousands of users (like TBB does), some users will encounter them.

Assuming you had javascript disabled, your crash was probably something unrelated. As far as we know currently that is.

(Also, it's not just Firefox. We add our own patches to Firefox to deal with privacy and security vulnerabilities that Mozilla doesn't care to fix. And one of those patches could have caused the crash too.)

yes after visiting the TM

yes after visiting the TM homepage. And... I was using Tails and the 1st thing I do is disable JS. Could have been something else as I've had a similar crash in past but not for a while. This happened on the 4 I believe. Also running the most recent Tails distro. ???

Don't know what to think but believe it has more to do with drugs than CP

Freedom hosting admin was

Freedom hosting admin was just busted a little over a week ago.

Would it make a difference

Would it make a difference if Javascript was enabled globally and Iframes were disabled on all sites via NoScript?

I don't think the exploit

I don't think the exploit would work in that case, because it runs inside an iframe. The server-side code would write the cookie but the rest wouldn't run.

Stupid question. But

Stupid question. But everytime I´ve used TOR, I've downloaded tbb, used it and then deleted it. So if I did this a few times over the last couple of weeks I should have used the last version every time, and should be safe even with JS enabled right?

The tbb that you download from the site is that always the latest version?

The website does in fact try

The website does in fact try to give you the latest version each time, yes.

Be sure to check the signature each time you download it. (And if you're on Windows, where it's hard to check the signature because you can't securely get any software to do it ... consider not being on Windows anymore.)

Not happening. It is a

Not happening. It is a ridiculous suggestion. Plus PGP software for windows does exist, despite your comment suggesting otherwise.

It could be easier to use, but a particular piece of software for a platform is not indicative of any problems (or benefits) of that platform. Truth is we have more software choices for just about everything on Windows. Given the existence of VM software - a person can run multiple OS's on any computer at once anyhow so why does it matter?

You aren't doing TOR project any favors with your smug Windows-hating hipster attitude.

_______Begin Quoted

_______Begin Quoted Text_______

The thrust of my position is that security is an absolute property that must be designed in from the beginning, coded with care, and enforced throughout the software development lifecycle. This embodies a set of issues that are orthogonal to whether the source code is open or not -- it depends on training, design, and use of appropriate tools. Thus, the nature of whether code is produced in an open or proprietary manner is largely orthogonal to whether the code (and encompassing system) should be highly trusted.
[...]
We often hear debate about which is more secure: open source or proprietary source. Each side makes arguments and refutes the arguments of others. In truth, neither is correct (or both are). Whether or not source is proprietary does not determine if the software is better.
[...]
From this standpoint, few current offerings, whether open or proprietary, are really trustworthy, and this includes both Windows and Linux, the two systems that consistently have the most security vulnerabilities and release the most security-critical patches.

_________End Quote Text______________

- Gene Spafford (from circa 2000-2002)
http://spaf.cerias.purdue.edu/openvsclosed.html

A famous Spaf quote:
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
(http://spaf.cerias.purdue.edu/quotes.html )

If you (the one

If you (the one hurt-by-Windows-criticism) had bothered to actually read Arma's comment word for word before huffing and puffing and taking offense, you would have seen
the word

"securely"

as in

" you can't securely get any software to do it".

If you want to rectify that, for starters please cite an URL that fits that criterion. Be constructive.

Thank you.

Yes indeed. Our "how to

Yes indeed. Our "how to verify signatures" page is a disaster for Windows users:
https://www.torproject.org/docs/verifying-signatures
since it starts out with "first, fetch gnupg.exe from this http url"

Sorry but it still isn't

Sorry but it still isn't 100% clear to me.

If I was using 2.3.25-10 with Javascript enabled (in Firefox settings), Forbidden Script Globally and visited Tormail. Was I injected?

No. Firefox ESR 17.0.7

No. Firefox ESR 17.0.7 used in TBB 2.3.25-10 is not vulnerable, even with Javascript enabled.

Switching away from windows

Switching away from windows because there is a security issue in the software YOU use. Forget it, I will no longer support you. You are nothing but Microsoft hating geeks.

Even if everyone switched to

Even if everyone switched to Macs, this exploit still would have worked because it allows execution of whatever code the exploiter wants to put in there. They could have written Mac specific code if they had wanted.

I'm confused with regards to

I'm confused with regards to noscript - did blocking all scripts globally include javascript? I used a javascript test site to see if it was enabled with noscript blocking all scripts, and it wasn't enabled. Does that mean I'm safe?

"block all scripts" does in

"block all scripts" does in fact refer to JavaScript, yes.

Would having only Tor

Would having only Tor allowed to access the net in my Windows firewall settings (not even DNS is allowed through) block this attack? How likely are the ramblings of the guy saying he runs exit nodes and embedded the exploit in random traffic? Would the n_serv cookie have still showed up in that case?

Yes you would have been save

Yes you would have been save from this exploit. Make sure only a user with admin rights is able to turn the FW off. The payload itself was extremely strait forward - a 5 year old could have written it. Honestly, they could have done much more damage if they really wanted but they didn't for some reason (Lack of time?).

The injection story is a hoax imho, but is technically possible if and only if the UUID's were static. If they are dynamic and logged at the FH servers then it is not possible to "poison" the database.

Forgott to mention that as

Forgott to mention that as an exitnode operator he would not be able to "accuse" real tor users because he cannot know their ip addresses.
He could have spoofed random ip's but then it does not make sense to use an exitnode at all. So again 99% sure that this story is a hoax.

If Tor.exe is allowed but

If Tor.exe is allowed but not tbb-firefox.exe (and your version was vulnerable), it would have failed trying to connect outbound because it ran within the tbb-firefox.exe process space.

The real solution is to

The real solution is to install tor in a virtual machine with a new Windows installation, then take a snapshot after you install TBB on it, and have it restore to the snapshot after EACH use.

They can hack all they want, all they'll get is a clean system with nothing on it, and the system will be restored to its original state after each use.

Tips:
Set the DNS server to some bogus IP address so no legit domain names will ever get resolved to an IP unless they go through Tor.

Adjust the firewall so only the tor ports are opened.

Us the open sourced virtualbox instead of closed sourced vmware.

If you're willing to run

If you're willing to run stuff in a VM, you should probably run Tails in that VM rather than TBB.

So, I'm going to ask the

So, I'm going to ask the question nobody seems to be asking. If you feel as if you may have been compromised, what should you do?

Well, it just means your IP

Well, it just means your IP and MAC address as well as proof of what exploited site (possibly page) you visited is on a U.S. government list along with probably thousands of others. Only you know what pages you visited and what would happen if the U.S. government knew you went there. Other than that, the exploit didn't leave a virus or install anything, just phoned home with that info.

You should

You should RUNNNNNNNNNNNNNNNNN

Exactly ... if the javascipt

Exactly ... if the javascipt exploit donwloaded malware on a users computer it should be possbile to scan for traces of this infection. So users need to have a way of finding out if they have been compromised... is there a scanner for this malware?

As far as we can tell, no

As far as we can tell, no malware was installed by the exploit.

Anybody else remember when

Anybody else remember when the default settings for NoScript in TorPark had "allow scripts globally" set to on?

My question is who the hell got paid to turn that on for the bundle when nobody was looking?

As far as I know, there have

As far as I know, there have been no Tor Browser Bundles where JavaScript was disabled globally by default. Please show me one.

Also, seriously, TorPark? That brings me back. I'm glad we have all the browser-level privacy and security fixes that people have developed since then.

Hi - I was one of the

Hi - I was one of the unfortunate ones that tried to login to tormail and got the error system maintenance, please check back in a few hours. I got that error about 5-6 times as i kept trying to login. I had Javascript enabled and was running the torbrowser bundle with Firefox 17.0.7 does this mean i was not affected by this 0day exploit?

Can someone please confirm this as quite worried :( Thanks.

As far as we know, Firefox

As far as we know, Firefox 17.0.7 was not exploitable by this exploit.

hello. i little question if

hello. i little question if anyone is able to confirm.
v17.0.6 + JS off(unchecked from options) = compromised?
thanks.

If you weren't running any

If you weren't running any javascript, you should be ok against this exploit.

(But there are other vulnerabilities in 17.0.6 that mean someone could still attack it in a different way. Upgrade!)

Question: in the advisory it

Question: in the advisory it is recommended to use RequestPolicy. Wouldn't that lead to browser fingerprinting because of the low amount of RP users, meaning my TBB browser would be pretty unique?

It would, you're right. It's

It would, you're right. It's all about tradeoffs -- it depends what aspects of privacy and security you're most concerned about.

I never used Tor on my

I never used Tor on my actual machine; it was always on a virtual machine...which was only connected through a VPN...why make it easier on them?

each time I update TBB,

each time I update TBB, first thing I do is always use for good that damn noscript, people think it's there because it looks cool?

I've been reading about this

I've been reading about this since the last two days... And I wonder...
- What if Tor and Tails are a part o NSA, FBI or CIA?
- What if Tor and Tails are a big fishnet to catch every stupid who thinks "Im using Tor, so I'm safe!!"?

Are you 100% sure that Tor is "gov-free"?

1st Rule to "be safe": never use your own connection!
2nd Rule to "be safe": macchanger -r.
3rd Rule to "be safe": Live system + encryption.

Use Kali or even wifiway (lame piece of cr*p) and get a "backup" connection. Yes, might be slower than your own connection, but FBI guys won't be shooting at your door.

Then, you can use java, flash, or wathever. They may reach your neighbour's ip, but even if they get the router, and take every pc on the neighborhood, including your's, you're safe. Your real mac never connected to the router, the live system leaves no trace, the encrypted flash unit is in your rectum, or another safe place.

PS= I don't need to say that you must use GNU/Linux. If you're stupid enough to use windows, you deserve to get caught.

"Use Kali or even wifiway

"Use Kali or even wifiway (lame piece of cr*p) and get a "backup" connection. Yes, might be slower than your own connection,"

"They may reach your neighbour's ip,"

So you're encouraging people to /crack/ and use their neighbor's WiFi without permission?

Isn't that a form of /theft/?

How would you feel if someone were to do that to /you/?

"the encrypted flash unit is in your rectum"

Put what you want in /your own/ rectum but keep-out and away from the rectums (and other orifices, for that matter) of other people, /especially/ children and adolescents.