Tor security advisory: Old Tor Browser Bundles vulnerable

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

If you ran NSA, GCHQ, Mossad, where is the first place you'd put a covert agent? MSFT, right? Ever wonder why they keep finding all those vulnerabilities that require update after update? Many of their employees work for intelligence agencies from all over the world. The Russians put something in, we take it out and put something else in, the U.K. agent finds it and takes it out and puts something else in. With apologies to Disney, "the circle of surveillance continues." It always will with software that does not have source code openly available.
Gnovalis

"It always will with software that does not have source code openly available."

Gene Spafford, from circa 2000-2002:

http://spaf.cerias.purdue.edu/openvsclosed.html

"the nature of whether code is produced in an open or proprietary manner is largely orthogonal to whether the code (and encompassing system) should be highly trusted."

"From this standpoint, few current offerings, whether open or proprietary, are really trustworthy, and this includes both Windows and Linux, the two systems that consistently have the most security vulnerabilities and release the most security-critical patches."

How many people, who actually possess the requisite expertise, actually examine ALL of the code?

think they wouldn't spend the few hours kissing up to governments that could shut them down or make their life hard _-_ US just goes after people's privacy

Spoken like an individual who be lives in the rule of law. Have they ever had the opportunity to see the inside workings of governmental systems. Well, in governmental/sovereign both of these there exist something called "summary judgement". A summary J is what happens when you p** off a "social worker" & they tell you your average spend down has been cut by $1,100 a month. On the top end we have the Feds who "regulate" (some saw fix) the market. A city may decide to improve their coffers by taking your property. Of course in the latter you may under federal statute fight it but to we who are slaves to systems that never existed a month ago ( & we bloody well better wake the hell up, sorry for the out burst) all ready know that what ever BAR we reach they will make higher. What are people saying? OK, remember the housing problems 8+ years ago where your home mortgage was sliced & diced? Well that's what's going to happen to your entire lifespan. Just one wrong entry & kiss your savings, car, home, + your retirement & if you need electricity for medical equipment by-by . So it's not just the collection of all your bits & parts but finding yourself rearranged like Frankenstein's "Monster" & shoved into a "no-fly list". I'm really not sure if you will get it until you one day find situation in a preterminal state or worse a slave till you die. Hope being frank is tolerated. Otherwise ta.

John

August 05, 2013

Permalink

So basically if someone had JS enabled but had updated their TBB within the last month they wouldn't have been affected by the malicious JS?

Theoretically, at least.

Yep, although there is one specific build of TBB with FF version 10 that for some reason did not mention that.. But part of this Javascript attack was that it checked to see if you were running version 17.xx (this was a vulnerability associated with this version).

Look around to verify if version 10 was affected by this malicious script.

That is purely wrong and misinformation from people who cant read the code!

The script checks for "document.getBoxObjectFor != null"
Which is a function removed in FF3.6(!!).

It also checks as an OR for "window.mozInnerScreenX != null", which is implemented in every browser using the mozilla engine.

So the script doesnt give a damn what version you have. Every mozilla-based browser is targeted (not only firefox). It works for every single FF version under the updated one.

That's only the injected javascript. The javascript served up by the hacker/government's server parses navigator.userAgent for "Windows NT" (exiting if not found), "Firefox" (exiting if not found) and the version number. In function b() it says if(version <17){window.location.href="content_1.html";} in other words redirecting to a different page on the hacker's server that presumably contains a different exploit for versions < 17 (nobody seems to have a copy of that file so it may do nothing as well). if (version >=17 && version<18 ) it sets a global flag which it checks later to see if to proceed with the exploit (if the flag isn't set i.e. version >=18 it exits).

I'm sorry but I'm very tech illiterate (cant read code). Are you saying that the TBB released after June 26 are also vulnerable to the attack? This seems to go against everything I have read regarding this attack.

If I misinterpreted what you meant, I apologize.

You are half-correct. You are talking about the script that injects the iframe. The actual exploit loaded into the iframe only attacks Firefox 17.

Well, that makes me feel much better. Don't surf CP websites but I did use TorMail and I was worried that I might have been 'pwn'd' by this exploit.

Thankfully, I installed the Alpha2 latest version of the Alpha TBB almost 4 weeks ago so I was covered and I was using a non-exploitable version of the TBB bundle before that.

Please tell me why any self-respecting Linux user use TBB instead of Tails??
Honestly, same goes for Windows users, why not use tails?

Like many others, I use Tails whenever possible. But, where I cannot boot from USB (such as at work), I have to use TBB, which is better than nothing.
Gnovalis

Simple enough to answer. Connections and bandwidth. Not everybody in the world, and especially in rural areas of one country in particular that prides itself on being a leader in technology, has access to broadband or even reasonably fast internet. Downloading an 800+MB ISO image, even as a torrent, is a painfully long process over dial-up! By the time the current version downloads, the 'Unlimited' (translate to 300 hours/month) dial-up account is exhausted for the month, and chances are you have to download a new version anyway as an update has been released.
Oh, when you have broadband, it's easy to say why would someone use the smaller option when the larger one is better, but look at the other side of the digital divide and the answer becomes quite clear.

The large developer and security analysis community around Tails, compared to the voice-in-the-wilderness aspect of Whonix?

The VM approach is better in theory, but not yet clear to be better in practice. Please help!

John

August 05, 2013

Permalink

Thank you very much for all the time and work you put in this.

At least now we can calm some people down a bit.

If only they would pull their heads out of their asses and disable javascript by default. They were warned, they just wouldn't listen, even now.

Spot on mate. It's minor annoyance for those of us who're happy to dive into noscripts settings, but potentially life changing for those out there who trust the bundle to have everything covered out of the box. Can't help but think that when there's no good reason to have it so, the reason for having it so must be 'no good'.

I always forget to update Tor. It would be nice if Tor had an auto update option.
I click on some links with Firefox 10 EST that some people posted i really hope the vulnerable didn't work with Firefox 10 EST :-(

How sure are you of that, are you one of the experts who tried it themselves, or could you link a source please? Do you mean to say people actually used the older versions of the browser (or spoofed the version) and tried to get this page the same way content_2 was obtained? There are many people who are worried and very interested in this, from what I'm reading here and on other sites.

I'm not the same anon, but I've been trying for days to get content_1.html off their servers (both the direct IP's and their onion-ized version). In fact, get anything including index.html but the server was either down or the files weren't found. BTW version 17-18 will get content_2 and 3. Only if version < 17 does it do a complete redirect to content_1.html where then something happens -- nobody knows.

Yes, it does trigger the attack.
The function checks for:

"return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));"

document.getBoxObjectFor is a function removed in 3.6.
mozInnerScreenX is implemented in every mozilla-browser.
It does not specifically check for a version. It even executes on FF 22.
If the malware can go through though.. I dont think anyone can actually test that practically.

Cautiously assume all Firefox versions since 3.x have the vulnerable code. This particular malware possibly only worked for 17 ESR on Windows though, with JavaScript enabled.

Here's a simple rule-of-thumb for any piece of software that is subject to critical vulnerabilities (such as web browsers; email and chat clients, etc., and, of course, operating systems): Always keep it up to date:

Make sure that you:
- are checking for security updates (whether automatically or manually) at LEAST once-a-day
- are downloading and installing said updates as soon as they become available
- discontinue using anything as soon as security updates are no longer issued for it

John

August 05, 2013

Permalink

The Tor project should all but *force* users to install new updates each time they run Tor.

I'm not sure if automatic updates are the best strategy, but before the browser even opens you should check for updates, and if it finds any security updates, the user should have to click through an insane series of warnings before they can use the old version.

Also, updating should be a one-click affair. You shouldn't have to download a new app and install it (which I think is currently necessary on Mac at least).

This is going to keep happening, and given tor's usefulness, some of its users will not be very sophisticated, and won't understand the implications of not updating. You've got a duty to protect them.