Tor security advisory: Old Tor Browser Bundles vulnerable

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Forced updates are very, very bad as they can be exploited. Just think somebody breaking into the update mechanism could then attack all users successfully. One-click is about as bad.

That said, a version check on start _via_ the TOR network, e.g. on the verification page may be a good idea.

Security comes with some effort you need to invest and some level of constant vigilance. Still, many people will still not update unless forced to, even if there are very clear warnings that are hard to overlook. But forcing upgrades will put everyone at risk and is hence unacceptable. There are people that will be careless under any circumstances and nothing can be done about that, it just has to be accepted that there are people that cannot be kept safe.

Forced updates when done properly are very very hard to exploit.... the trick is, like with anything else, in figuring out how to do them properly.

Please keep in mind that if you CAN do something then you can be REQUIRED to do it.
What i mean is this... if they set up automatic updates then the NSA (or the FBI) can REQUIRE them to send to their users trojans just as well.
This is nothing new... it happened for instance with Hushmail in the past http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
Hushmail had to comply to a court order who forced them to send a keylogger to one of their users to catch the password he used to encrypt his email stored in Hushmail... and they could do nothing to resist it.

So... if you CAN do something, then you can be FORCED to do it.

I think the solution is to simply disable javascript and make a warning dialog popup whenever you try to enable it. If you are stupid enough to enable javascript even with a big red warning dialog that warns you that you are fucking yourself up then you just deserve it.

Also the program should warn the user that a new version is available but without links to automatic download any content. So the user has to go to the official website and download the official release.

"if you CAN do something, then you can be FORCED to do it."

"if they set up automatic updates then the NSA (or the FBI) can REQUIRE them to send to their users trojans just as well."

Couldn't a TLA or any savvy-enough adversary ALREADY sneak malicious code into TBB or other Tor packages?

How many people CAREFULLY READ-THROUGH ALL the code?

How many of those who do carefully read-through all the code are expert enough to detect anything rogue in it?

And, finally, how many of those who carefully read through all the code and are expert enough to detect anything rogue in it (and are looking for such) would ALSO report and publicize it should they find anything suspicious?

that is what cryptographic Hashes are for. I personally would love a hash checker that would check for several hashes. and then tell you if more than one checks out. It is much harder to fool several hashes than to only fool one by the length of one hash multiplied by the other(s) approximately..

Anyway I wish the load would generate the hash and allow you to check the hashes of other programs and check them with those found in whatever source(s) you wish to point them to.

Who was it that said that difficulty directly reduces security. That is why i really like the keep it as simple as running a TOASTER concept. Yes I would consider running an update button before I would download a new version for a number of reasons. 1stly I am a very new convert to lunux! (UBUNTU)

I had the problem of having two (apparently!) instances of TBB.

tor would not load!

So I was forced to go back to my download and start from the start TBB there.

It worked!!!

I have not seen this fix anywhere.

Anyway my point is that it is HARD to be secure!

TBB is great in that it makes a NUBIE like me able to get some security.

Also the more people who use NON_Back_Door_Encryption The more junk the NSA has to break the encryption for.

KEEP UP THE GREAT WORK!!!!!!!!!!!

THANKS!!!!!!!!!!!!!!!

Its not a case of doing it properly.
It wouldnt be the first time, an auto updater updates malware without you knowing.
And a company cant assure anyone that this wont happen any time. If they do, they simply lie to your face.

Especially for the TOR project, which is funded 80% from the US gov!!

Most of the updating process (including verifying signatures) can be easily automated, for example, using PowerShell, especially since TBB isn't really properly "installed" so much as "unzipped".

This really sounds dumb. First you want to "force" your ineptitude with technology on other users, and then want to blame Tor developers by accusing them of not fulfilling a duty to others. Man, you just love to play the blame game and evade responsibility for your own actions. These are decisions "you" make. Learn to live within your (technical) means, and let the rest of us live within ours.

You don't need to force people to upgrade, just have something on the homepage that tells them that the version is insecure and they should upgrade to reduce the risk of being exploited. Apparently javascript exploits have been around before, I didn't know they were possible, if more people knew they were possible and the risks they would upgrade without being forced.

And for goodness sake - disable javascript in noscript by default, and don't leave any sites in the whitelist. This is how I start off, and I then I make decisions on a site per site basis (eg. Do I really trust this site??)

https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

The idea, I think, is that since TOR has javascript enabled by default, you can hide amongst all the other TOR users running their system on default by also keeping your JS enabled. Basically, you stay anonymous by hiding in a crowd. Keeping JS disabled everywhere makes you part of a smaller crowd of TOR users who have their JS disabled and selectively enabling for some sites and not for others makes your browser settings unique, giving you no crowd to hide in, which is very bad when you are trying to remain anonymous.

From an anonymity perspective, it makes sense. But I will agree, that definitely does not make you safer, especially if you are running a Windows OS on a privileged account. But that can also be avoided by running your OS on a low security setting, especially if that OS is not Windows. JS can deploy self-executing exploits all day long on a linux system running at a low security level and do nothing.

It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on.

Source: I used to work tech support on a college campus. Also, retail.

"It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on."

But once as much as can be reasonably expected has been done to warn, then the responsibility rests upon the user who ignores the warning.

"some of its users will not be very sophisticated, and won't understand the implications of not updating."

I don't recall sufficient details about the warning that flashes when a deprecated TBB opens.

If the warning:
a) is practically impossible to miss,
AND,
b) explicitly the conveys the danger of continuing to use the deprecated TBB,

well, then any user who ignored such a warning would have THEMSELVES to blame, don't you think?

The warning should read something like:

"A new version of TBB is now available. You are strongly urged to update immediately. The version you are reading this in has known critical *security vulnerabilities* that may be used to compromise the protections provided by Tor as well as harm your system in any other number of ways."

Jason

August 05, 2013

Permalink

So i am running 2.3.25-10 version from June 26 2013 but may have had java enabled and visited tormail ... am i covered by the fix in the latest version ?

Jason

August 05, 2013

Permalink

Interesting. So it took "them" about 4 weeks from the patch (Firefox was patched a day earlier) to an implemented larger-scale attack. Not too bad for a bureaucracy.

But this also clearly says the Tor project is not to blame. Being 4 weeks behind with security patches is unacceptable for something like Tor, and the mozilla folks called the vulnerability "critical". This vulnerability does not even really qualify as 0-day, even if the mozilla advisory just says "crash, can possibly be exploited".

Jason

August 05, 2013

Permalink

I use the Vidalia package form last year with a FF version 10x. Is my setup at risk from this exploit?

Your browser is vulnerable to this type of attack (and many others) indeed, but the attack implemented on Freedom Hosting sites specifically targets v17 of Firefox, thus it's likely that your identity has not been compromised if you've visited any of these sites with v10x.

Jason

August 05, 2013

Permalink

I still don't understand it all - sorry in advance :)

I've read several different things about the exploit, one mentioned a tracking cookie that could not only reveal your IP but also every other site visited while the cookie is active.

So for my question:
Does the script just tell the server the site you got it from (e.g. Tormail) and your real IP or does it track all the browsing of the current session?

Jason

August 05, 2013

Permalink

Sorry for the stupid question, but one thing would be interesting for me: I had an older version of TBB installed until friday, but JavaScript was globally disabled. Can i be affected?

Jason

August 05, 2013

Permalink

I wish Mozilla would take memory safety more seriously.
Almost all releases contain:
'Miscellaneous memory safety hazards'

Much JavaScript in Firefox codebase also violates sound practices and advice from Douglas Crockford in "JavaScript: The Good Parts".

It's sad to see that lots of JS code use the (bad) == equality operator, instead of the (good) === operator.

There are static checking tools available.

But I'm pleased to see that Tor is starting to take TDD seriously. Thanks for that!

The WWW in general has gotten way ahead of itself and should never have been allowed to get as far as it has with all of the numerous, multiple security threats, many never even /accounted/-for, much less adequately dealt with.

Critical infrastructure and at least a great deal of the critical data that has been placed onto the Internet should never have been.

Yet another example of what happens when you allow the "Free Market" to dictate; to be the arbiter, etc.

Jason

August 05, 2013

Permalink

I don't hear anything outside of the Tor Browser. What about the pluggable transport version obfsproxy for Tor? I believe that version of firefox is 17.0.6.

Is this safe, because there hasn't been an update or an announcement for this particular package?

Also, for us non-techs, would we actually know that the browser was affected, if something took place. Any explanation would help. Thanks!

Jason

August 05, 2013

Permalink

Question: In a German newspaper they say that you tor-developers suggest not to turn off javascript. The newspaper states that it would be more suspicous then protecting.

What can you say about javascript. I disabled it for all sites because of possible attacks like this.

Javascript on or off - what is the better way to surf safe?

Javascript on or off - what is the better way to surf safe?

That depends on what you mean by safe.

The Tor Bundle ships with Firefox as the browser, and includes the NoScript extension to Firefox that blocks scripting if the site is not in a user-maintained whitelist.

The problem is that disabling JavaScript by default breaks browsing for people who want to access sites that require JavaScript to work correctly. Most Tor users are simply concerned with anonymity, which means not having their actual IP address available to the site they are viewing. When you go through Tor, the origin address the other side sees is your Tor exit node, not your real IP.

The Tor Project chose to enable JavaScript globally to avoid problems for the majority of users who don't care if it's enabled.

I don't know of any way to get a real underlying IP address of a computer with just JavaScript. Getting the real IP address requires OS level operations JavaScript isn't allowed to do.

If you run the Tor bundle, click Addons. In the Addons window, select NoScipt, and click the Options button. Uncheck the "Scripts allowed globally" box.

JavaScript will now be off by default. NoScript will warn you if it has blocked JavaScript execution when you visit a site. If you trust the site, you can add it to NoScript's whitelist, and JavaScript will be permitted for that site in the future.

Great explanation, but one further note -- you say "if you trust the site", but if the site is giving you content over http, then you really mean "if you trust the site, and also the network connection between you and site". And whether you're using Tor or no, that decision gets quite complex. Even worse, we've seen evidence lately where state-level adversaries can fabricate https certificates for other sites -- so we need to append "and if you trust the 200 or so certificate authorities to all behave perfectly" to the list of if's. Rough world out there. (That said, raising the bar does help.)

Unfortunately those who trusted the sites hosted on Freedom Hosting, and added them to a white list, got caught by this exploit. After today, JavaScript must be off in TOR at all times, because new vulnerabilities like this will pop up in the future.

If you want to be private, you have to disable JS, no matter how trusted and secure a site may be. There is no way around it now. FH was a trusted, untraceable onion hidden service.. and yet it fell and was injected by malicious scripts. TOR must ban JS completely starting today.

If you use JS you can be caught by such buffer overflow exploits, and your real identity will be revealed. And if you don't care about protecting your identity, why use TOR?

One should consider if banning JS from all browsers is not the right thing to do. If any malicious executable code can be run at will by JS, imagine what this could do in the hands of criminals. It could install a keylogger on your pc with ease and gain access to your bank accounts, or worse.

It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it.

That said, while Javascript is indeed a big vector for attacks, don't think you've solved everything by disabling it. Another enormous vector is svg and pngs -- it is absolute crazy-talk to just blindly accept images from websites and render them. No reasonable person would allow images to load in their browser. The number of recent vulnerabilities in libpng alone should be enough to convince you.

That said, I sound like a paranoid maniac in the above paragraph. But hopefully it will make you stop and think. How did we get to this point in browser security, and how do we recover from it?

Write a secure browser from scratch and don't bother cattering to people's retarded demands like being able to run the latest and stupidiest web 4.0 gizmo.

Problem is, you want a browser that the dumb masses can use in every dumb web site...Looks like your problem can't be solved.

Re: How do we recover from it?
The best defense is a good offense. It is probably impossible to prevent all hostile surveillance - either by government or the private sector. But, you might consider making it worthless.
I don't much about spam. Send me meaningless messages, and I will just ignore and delete them.
Suppose you developed an application that waited for your computer to be dormant for a certain period, then composed totally junk email using random words from a dictionary, and sent those messages to random people who use the application (by using the application, you would consent to randomly receiving a bunch of junk). You would clog surveillance servers with nonsense.
Develop another application, as above, that doesn't send anything, but simply goes from one "G" rated site to another, again randomly. Again, the surveillance folks would be clogged with junk.
Now, if you want to make things interesting, search "phony research papers" and you find a site at MIT where you can enter your name and it will crank out a phony technical research paper. Total nonsense. Use those for the email messages.
Want to make it more interesting, encrypt all the email with PGP.
For those - like me - who are truly malicious, generate the phony research paper, then use a word processor to change one of key words in the paper to "uranium deuteride," "virtual cathode oscillator," "high purity fluorine," "10 guage, high purity aluminum tubing, 3 inch ID," etc. Don't forget to encrypt it! (Also, be really familiar with the FBI's "triple threat" surveillance program IN ADVANCE! And, don't do this unless you enjoy excitement because you're going to get plenty.).
Gnovalis

So, just to make it "easier" to browse, TBB effectively facilitated this attack by having JS on my default despite cries for it to be disabled? Nearly all new major Firefox vulnerabilities involve breaking the sandbox with javascript, yet the TBB insisted that it had patched all *known* vulnerabilities and so users were supposed to believe running JS was some sort of acceptable risk!

I don't know how many people complained to both TBB and Tails that Javascript should be OFF BY DEFAULT but they kept coming back with this same old horseshit. Tails devs refused point blank to even add a bootcode to start Iceweasel with javascript off!

This all stinks to high hell.

It's not that simple. Did I not read above that if you had the most recent release of the TBB that you were immune to this attack? What it means is users should always make sure that they are using the latest release. It's pretty obvious too because the default home page for the TBB is https://check.torproject.org/‎. Now this isn't a perfect solution because the government could perform a mitm attack to make users think they had the latest version when they didn't. However if I'm not mistaken they are working on a better solution. Also- I'm not arguing javascript should be on by default although I think to say it should be off by default overlooks the issue that doing that would decrease the Tor user base which hampers security as well for all users.

It might be worth developing a plug-in with a big button that says 'secure mode' and one that says 'risky mode'. The secure mode would automatically be enabled for .onion sites where the onion sites would then be expected to comply with the 'secure mode' design (since all such sites for all intensive purposes must be compatible with it). The first thing you see when opening the TBB is an explanation of this 'secure mode' and the 'risky mode'. If you select the risky mode on non-Tor sites you should get a warning "Are you sure? There is a decent chance you will be putting yourself at risk" with continue, cancel options. This way it is a little more difficult to accidentally turn on 'risky mode' and at the same time non-technical users wouldn't find the TBB difficult to use.

"for all intensive purposes"

Yeah, a lot of those .onion sites can get pretty intensive...

( I think you meant 'for all intents and purposes')

The advice given in the final two paragraphs of the above post explicitly and completely contradicts that given in the Tor Project FAQ:
(all emphasis mine)
"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

( https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled )

I am absolutely appalled that arma not only effectively endorsed, in general, this post that so contradicts the FAQ maintained by her organization but actually went-on, in a subsequent post, to clearly imply endorsement, specifically, of selective enabling of JavaScript while using Tor:

"It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it."

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

Sir,

I was merely QUOTING the Tor Project FAQ and noting the glaring contradiction between what it says and what "arma", a representative of that very same organization (The Tor Project) wrote here.

People should be demanding a response to this CONTRADICTION.