Tor security advisory: Old Tor Browser Bundles vulnerable
An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.
This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:
- 2.3.25-10 (released June 26 2013)
- 2.4.15-alpha-1 (released June 26 2013)
- 2.4.15-beta-1 (released July 8 2013)
- 3.0alpha2 (released June 30 2013)
Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.
Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…
I am no great techo but
I am no great techo but neither am I new to Tor nor totally green about security and keeping private, so I hope this isnt a really dumb question...
First, I updated TBB to 17.0.7.4920 on the 29th July from 10.0.12.4752. and yes I updated a few hours ago to .8. This is the 1st time Ive used Tor since I knew about the attack.
It would be my assumption that if your main browser is the main FF (23), that TBB would be TOTALLY independent and different from it. Right? (to be clear, all the settings, plugins etc.) So, why is it my TBB had the same plugins and settings as my main FF including my whitelist in noscripts? When I just updated I checked these settings and they are now totally independent, so can anyone tell me whats going on or what I did wrong?
It wasn't on the maintenance
It wasn't on the maintenance page. It was injected into the normal sites. The maintenance page started showing up after tehy were rumbled.
Orly? How do you know this
Orly? How do you know this is? Do you have a source?
I'm wondering if I was
I'm wondering if I was vulnerable...
I had NoScript fully active, but iframe was unchecked. Would a browser in that configuration have been compromised by this attack?
While recently using Tails
While recently using Tails (0.19/0.20 now) under VirtualBox (yes, I know it is best under CD/DVD, USB) I have found that the real DNS server is listed in connection information as a secondary DNS server. That is, what DNS your host is using. This seemed like it might potentially be exploited for traffic analysis purposes so I reported it to the Tails project.
From looking at /etc/resolv.conf and seeing that it only contained the loopback address, 127.0.0.1, I was assured that everything was okay, unless one uses the unsafe browser in Tails which could make use of the real DNS. The reason for this appearance of the DNS server is due to VirtualBox's DHCP server returning the address to the DHCP client in Tails.
Even though it may not represent a serious security risk, I still find it a little bothersome to see this. You can find this information in Tails by opening "Connection Information" from the network dropdown menu at the top right.
Since I have two actual DNS set for my host, I tried first to get rid of the second one by removing it from the host configuration. But then Tails showed my first DNS as the secondary instead inside the connection information. Next, I went to "Edit Connection" in the same menu, and looking at IPv4 tab I found it set to use DHCP (automatic). I changed this to DHCP(addresses only) and saved the changes (Tails needs to be started with a root password for this). The network connection is immediately dropped and you have to force connection again in the the same menu for the device used. Then upon checking connection information again the secondary DNS is removed. Seems that Tails should come with DHCP set as I have it by default, unless some other reason can be given.
I'm looking into the options in VirtualBox to change DNS proxy/resolver under NAT to try to eliminate this from the start using the VBoxManage command. See http://www.virtualbox.org/manual/ch09.html#changenat for details.
Please feel free to spread this around, others can investigate, or be more paranoid ;)
On top of that, I have to say I'm not impressed that the new Tails still comes with IceWeasel set with JavaScript on, cookies on, and a few security parameters off, No Script didn't seem to be automatically on at one point or another. It could all be set to off or strict settings by default. Not sure why it isn't!
no sooner does one download
no sooner does one download tor and the devs are urging users to upgrade citing security vulnerabilities. Wait one week and the current version of tor will be out of date, the bundle a security risk, tails no longer recommended. Of course using the latest version of software is not that smart either, you risk encountering bugs not realized yet.
My browser says "Sorry. You are not using Tor." So I put the ip address from check.torproject.org in the browser and find that it is a torservers.net exit node. go figure.
Tor bundle does not include firewall software which could block traffic which is not tor traffic. IMHO the browser and ALL OTHER SOFTWARE has no business retaining the ability to access the internet directly. Surely all non-tor traffic ought to be blocked for the session. How on earth did a javascript exploit allow packets to be sent outside of tor? And hidden services are how well hidden now that freedom hosting has gone down? How did this happen? If half the onion sites are on freedom hosting and the NSA is bulk capturing packets they're bound to figure it out aren't they?
And how the hell can one use tor and stay the fuck away from the USA? I have tried to figure this out, it ought to be straight forward. If tor can be easily configured to stop connecting to tor nodes in the USA I will use it again, otherwise I will not trust it again.
So does anyone know for how
So does anyone know for how long this attack went on? Couple of weeks, just a few days, or what? I heard the malicious code was discovered just a few days ago (during the weekend I think), but how do we know it hasn't been there prior to that as well? It could be that people who updated a couple of weeks ago and think they weren't affected actually were.
Here's the comment from only
Here's the comment from only a few above yours:-
"Don't know is the short answer.
However, what little evidence there is seems to point to it being implmented at the last weekend when the Freedom Hosting sites were taken down.
The effected sites had a "down for maintenance" message. I'm not clear whether the exploit tried to run when that "down" page was visited or whether the sites were actually down for real and the exploit was only implmented once they were back up (assuming they are back up).
It appears that the exploit (IF it worked on a user's browser and my understanding is that it doesn't work on Firefox ESR 17.0.7) also caused the browser to close or crash and those crashes haven't (I don't think) been reported by anyone prior to last weekend.
Also, if the exploit had been out in the wild for some time (e.g. since mid July) I'm pretty certain it would have been discovered prior to now.
None of this is 100% though. It could be that the exploit has been out on the loose for weeks and weeks."
hey i have tor bundle
hey i have tor bundle 2.3.25-8 and it says its running firefox 7.0.7 could i still have been effected??
is there any way to tell if
is there any way to tell if youve been hit?
latest tor browser bundle
latest tor browser bundle appears fake, all nodes up matter of hours with ridiculous transfer speeds
Where did you get it
Where did you get it from?
Also, what version is it? ("latest" is not a version.)
latest release from here.
latest release from here. 2.3.25-12 Basically all nodes have up-times of a few hours and the fastest nodes have very high transfer rates. 298mb/s
No one's really answered
No one's really answered this but put simply if your browser was old but hasn't had a crash you should be okay?
Secondly is there a point at which the has been cleansed server side. By that I mean could an ad vulnerable set up accessing tor mail be okay because the servers have been sorted. Or is the malicious code still active if certain links are clicked?
May i conclude that Mac OSX
May i conclude that Mac OSX users were never vulnerable ?
The Firefox exploit works on
The Firefox exploit works on any OS, but the payload used in this case works only under Windows.
So Mac users are not affected just because the attacker is too lazy to write the code.
Trawling for Tor Hidden
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization
http://cryptome.org/2013/08/trawling-tor-hidden.pdf
"... This means that within 8 months, the probability to deanonymize a long-running hidden service by one of these servers becoming its guard node is more than 90%, for a cost of EUR 8280 ..."
Has there been feedback on
Has there been feedback on this?
Feedback Tor Team?
Feedback Tor Team?
I really do not understand
I really do not understand why so many people are crying about shutting down javascript by default in the tor browser.
Just use the torbrowser default setting, for general use, making you hide in the cloud of same setting users.
And then when you plan to visit some virus laden URL, like for instance I like to trace virus upload sites for fun or when you want to do other secretive stuff, only then just for that occasion switch the browser to high defense mode iaw turn javascript off in noscript and of cause run Tor in Linux or a VM. Real scared people could also block images.
This way your traffic only looks unique for this special visit, and can only be finger printed for that exclusive visit not tying it to any other traffic that you did in default mode.
Problem solved.
All this worrying, for
All this worrying, for nothing. If you had JS enabled you belong in crow bar motel. And also if you had JS enabled you would all ready be there. By it's self Tor is NOT safe, and never was. Come on the Gov designed this thing. I think a couple of months ago someone from the Tor project said flat out that they would help when ever needed, the Gov. You are living a false dream if you think Tor alone can protect you. One last thing if you don't know how to set up your computer, and change settings to make your life safer, you got no business on the internet, and that puts you right up there with all the script kiddies that call themselves Anon oh what ever, you become a danger to yourself and others.
Now for the real question, WHAT DID YOU DO TO TOR, with the new release, NOTHING WORKS, and I mean NOTHING.
Why does TBB use such an
Why does TBB use such an outdated major version of Firefox in the first place? The current TBB uses FF version 17.0.8. The current version of FF is 23.0.1; obviously each new version of FF has patched various security issues.
I suffered browser crashes
I suffered browser crashes / closures When running in Linux Virtual Box. Is there any problem?
Hey arma. I am quite new on
Hey arma. I am quite new on Tor, and have some doubts about this exploit issue. I´ll try to make YES or NO questions:
I have TBB 2.3.25-8 (17.0.6) running on a VM VMWare with WinXP.
1) In the TBB Tools->Options-> I have disabled the "Activate Javascript" item. ¿That means tha all javascript is disabled and the malware didn´t work if i was in a FH site?
2) I have also NOScript with this options: "Block all objects from no trusted sites" is enabled, and "Allow javascript globally" is disabled. ¿That options make a better block to this exploit? ¿Having the javascript disabled from Tools-Options makes NOScript useless because it is already blocking JS?
3) ¿The FF 22 that i have installed apart from TBB is totally independent? ¿If a have JS enabled on FF 22 that could let the malware rum on TBB or the options from TBB are independet from FF Mozilla 22?
4) If the exploit would worked: Having TBB in a VM, ¿the exploit sent the Host Name and Mac Adress from the VM insteaf of sending the Host and Mac from my real PC? I think that de IP is common to both, but the Host Name and the Mac Adress don´t.
5) The last time i´ve used Tor was mid july (i know from last modiffied date of the files of Tor). The exploit is supposed to have been planted on last days of july, right?
6) If in the future i want to uninstall Tor. ¿I deleted the folder? ¿It keeps files in some registry that i have to wipe?
A lot but easy question for someone how knows about it (i think this will help to others like me). Thanks to the one who answer this!!!
I update promptly each time
I update promptly each time i receive update notice, but JS is automatically turned back on after each update, and i forgot to disarm it with the last few updates. Does this mean I have been compromised? Is there a way of checking whether my pc has the offending code (windows 7) and how do I get rid of it. I thank you for all the great work done on Tor but PLEASE SET IT UP SO JS IS AUTOMATICALLY DISABLED.
Tor announcement says "We
Tor announcement says "We don't currently believe that the attack modifies anything on the victim computer." So there is now need to reinstall Windows to make sure the script is still reporting back to whoever?
If I updated promptly but forgot updates turn JS back on and neglected to disallow it, have I been compromised?
Hi, I was on the latest TBB
Hi,
I was on the latest TBB on Tormail. My Vidalia control panel just disappeared leaving the TBB on. No trace in the task manager. Hope it wasn't exploit related.
Arma?
Arma?
I first downloaded the TOR
I first downloaded the TOR browser in August this year, the only reason I did was to see if the "Silk Road" website existed, I heard about it as an Urban legend, so curiosity got the better and I had a look, yes it sounds ridiculous but its true.
I was also given information that if you wanted to research subjects or ideas that are not mainstream the TOR browser doesn't filter out like other search engines do and you can obtain more info on your given topic.
Surely its not against the law to USE the TOR browser???
Why are people freaking out about the feds??
if I run an old version of
if I run an old version of Tor browser, but I disable javascript am I safe?
What if I use a live distro?
Giacomo Casanova
1) the exploit code appeared
1) the exploit code appeared to be in the webserver, attaching the code to every webpage the server sent out, including 'down for maintenance' pages.
2) The sites were down for a few days. Then there was a brief (perhaps 3 hours) period when the websites were reachable, then the 'down for maintenance' page was displayed.
I don't subscribe to the theory that the target was tormail for the reasons you state. I am under the assumption that the hex identifier was formulated to identify the website being visited, and then collect the mac/hostname/ip of the visit into a database for further action. The question is, what is that 'further action'?