Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb
Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Hi you all there. I have two questions... of which, one is a bit off topic ...
What do you think about using tor not just with the bundle but route the whole pc traffic trough it? (Im on Gnu/linux of course...)What are cons and pros?
I mean ... as a solution for ordinary people and their daily browsing. So no whistleblowing, hidden services or something. People who have "nothing to hide" but are not so stupid to give away their privacy to some pigs.

And the second...would it be safer for bimbows users to route the internet traffic not in their machines but in the router? For example installing tor on dd-wrt router so all the OS build-in malware couldnt bypass tor so easily. Im no tech pro so maybe its a bit stupid question... but it makes me curious...

Tails used to route all traffic into Tor by default. They changed their policy a year or two back, to configure the proxy settings on all applications that they knew would talk safely through Tor, and set the firewall rules to drop all other connections. The idea is that if an application hasn't been specifically configured to use Tor correctly, it will probably use it incorrectly, so it's better to prevent it from talking to the network at all.

See https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea for an example of how things can go wrong with an application that doesn't care about privacy.

I think I understand... So if I would like to use my day to day linux install with tor... I would need to set all applications to tor.

But what abut the idea setting my dd-wrt router to work with tor? I man... installing tor into the router ... so the router would route all the traffic trough tor network... Is something like this possible?

It is possible, but you're likely to screw up your privacy. See the "Bittorrent over Tor isn't a good idea" post for an example of how you'll lose -- your bittorrent application will end up "anonymously" sending out your IP address in its application-level traffic, and things will go downhill from there.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

So, I've been keeping my version of TBB up to date, but I haven't disabled javascript manually in Noscript. Am I compromised?

*Sigh* I don't know why you people seem unable to read before posting. It CLEARLY says in the advisory at the TOP OF THIS PAGE -

"This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)"

So no, if you have Firefox 17.0.7 ESR the exploit will not have worked notwithstanding whether you had Javascript disabled or not.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Quick question - I have the latest version of TBB, but I didn't have javascript disabled manually in Noscript. Am I compromised?

If maybe arma could confirm this, but from my understanding, in firefox 17.07. Visiting one of the infected web pages would produce a XML Parsing error, were if you had a vulnerable browser but had JS disable in either the browser settings or noscript. You would have saw "down for maintenance" page, but do to JS being off the code would not be able to run

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

To: Webmaster/Website Admin

At the time of writing, I noticed there are 456 posts before mine.

I wonder why the webmaster of this web site did not consider asking users to register and post at http://torforum.org

The current display of posts on this web site appears clunky and disorganized.

Yeah, this blog is a poor forum, I agree.

And we do need a forum.

But we need one that competent Tor people will contribute to regularly, or it will just be a bunch of wrong users being wrong at each other. I have no idea what torforum.org is, or who runs it (hint: Tor doesn't), and that's not a good sign.

See also recent blog posts here about our stackexchange plans.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Ashish Garg writes: If we disable javascript, there is no point using TOR because these days we can't open any website without javascript-enabled browsers; we can't log onto Facebook, yahoo etc.

Not all websites use Javascript (although I accept a lot do).

I hope you;re not suggesting that people use TOR to login to sites like Facebook, yahoo? You SHOULD NOT be accessing any clearnet sites through TOR!

Why not? Well... I dont care about FBshit... but for what purpose should one use Tor if not for anonymity? Why darknet only? Isnt the diversity of users the main pillar for privacy by design here? Really... why shouldnt I use Tor for clearnet?

Ignore the post above yours. Tor is designed to be used on clearnet to allow you to browse the internet anonymously. Probably the majority of users use it that way, to visit regular websites. That is why they leave javascript on by default.

Plenty of people use Tor to log in to Facebook. Even if they're ok telling Facebook what their account is, they still don't want Facebook (or somebody surveilling Facebook) to know where they're located currently, and they don't want their ISP to know where they're connecting.

Also, there are whole countries where Facebook is blocked, and many tens of thousands of people use Tor to reach it anyway.

There are many different angles to anonymity, and this diversity is part of what contributes to Tor's security.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Do people think that an attack like this one could work against a system like TAILS? As I understand it, this code sends the collected information over a non-Tor connection to the internet, and TAILS supposedly blocks all non-Tor connections to the internet. Or would it be possible to get around that blocking?

In Tails it would have been blocked by iptables rules, however even if Tails is a lot more well structured for anonymity purposes than Windows no system is safe when an attacker can execute some arbitrary code on your machine.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

If you got the "Sorry, This server is currently offline for maintenance" message when visiting an infected site does that mean you have been exposed or would everyone have seen the message even if their setup was safe from the exploit?

Everyone would have seen the "offline for maintenance" message when the sites were down because, well they were down :-) no matter whether you had a vulnerable browser or not.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

not long time ago nvidia released new drivers which didnt like firefox (bsods and other stuff) - they blamed microsoft for some old bug or something. could there be a connection ?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

LOOK FOLKS;

Quit with the idiotic discussions related to Gosh, I'm a poor misunderstood pedophile ... Am I going to prison? ... and How? ... and Why? ... and how can I squirm out of it ??? etc., ad nauseum.

The simple answer is YES !!! if you're a God Damned Pedophile ... YOU ARE GOING TO PRISON ... So Just STFU and accept it.

Apparently nobody spent the time to teach you the basics of ABSOLUTE MORALITY ... a quaint custom Wherein Children are both innocent and worthy of Actual Love ... That means that you are almost certainly a Progressive Democrat, possessed of Relative Morality, which means that we can get along without your presence quite nicely.

As far as the rest of us are concerned, The REAL and only serious problem is the loss of TOR MAIL.

With the known death of Freedom Hosting and the catastrophic (and permanent) demise of Tor Mail, it is incumbent upon some TRUSTWORTHY organization to reincarnate Tor Mail as quickly as possible.

That organization ... MUST, ABSOLUTELY, BE TOR ITSELF.

There is NO OTHER anonymous email service in existence that can take it's place and there is NO service provider OTHER THAN TOR that will be TRUSTED to carry on the name, particularly since, should TORMAIL suddenly reappear on the Onion network, It will be assumed (correctly) to be controlled by the NSA and FBI.

TOR will never be compromised by the Intelligence Mega-plex, simply because they use it themselves ... a fact recently illustrated by the effective destruction of the Dot-Onion network NOT associated with TOR itself.

TOR can accomplish this in less than Two Weeks ... Kindly Do So.

TemplarKnight@tormail.org ... At least, that's who I used to be.

http://arstechnica.com/tech-policy/2012/06/fbi-halted-one-child-porn-in…

>wangstramedeous | Ars Praetorian Tue Jun 12, 2012 1:55 pm

>Child pornography is a symptom of a larger malaise in society, namely child abuse and exploitation. Simply putting so much emphasis on one medium of distribution (media delivered via the internet) suppresses and ignores what is going on all around us. Really, its a snap shot of a reality that is part of the fabric of society. Destroying the evidence of it in one aspect does nothing to address it.

>It is simply an act of making unseen what is clearly a problem more widespread and larger than people looking at videos and pictures. Even if we were to imagine that we wiped out every single cache available online, it ignores that one of the most vulnerable segments of our population is still being exploited. The lopsided nature of policies targeting people that consume the media vs people who actually engage in abuse belies this.
.......

http://news.cnet.com/8301-13578_3-9899151-38.html

>by PzkwVIb March 21, 2008 4:55 AM PDT

>If people are abusing children and producing child porn, then go after them. [...]downloading such material does not harm a hair on a child's head. [...]Making possession, which on the net can even mean hidden thumbnails on web pages, is just plain Stupid.
[...]

>but as a law enforcement official or a politician you get the same boost in popularity if you go after the easier to catch people than the ones actually harming children.
_________
It would seem to me that the more people who view "pedo/CP" material and sites, the more chances for predators to be exposed and their victims identified.

I am fairly certain that at least one child-rapist is now, finally, behind bars as a direct result of evidence I saw at a "pedo"-oriented site and acted-upon. Yet, both myself as well as the people who cooperated with me put ourselves at risk in coming forward and presenting the evidence.

"Sunlight is the best disinfectant."

"The love between men and boys is at the foundation of homosexuality. For the gay community to imply that boy-love is not homosexual love is ridiculous." - "No Place for Homo-Homophobia.", San Francisco Sentinel, March 26, 1992

"Shame on us if our lesbian/gay voices remain silent while our
NAMBLA brothers are persecuted once again, and shame on those
lesbians and gay men who will raise their voices to condemn NAMBLA,
insisting that boy lovers (and presumably the boys they love and who
love them) are not part of this thing called the lesbian/gay
community."
- Steve Hanson, "Shame on Us.", Bay Area Reporter, January 23, 1992

"NAMBLA is by no means on the fringe of the "gay rights" movement. For years, it was a member in good standing of the International Lesbian and Gay Association (ILGA), and was only jettisoned by ILGA when the parent organization applied for United Nations consultative status in 1993. Years earlier, the ILGA itself had resolved that "Young people have the right to sexual and social self-determination and that age of consent laws often operate to oppress and not to protect." "
- http://www.lifeissues.net/writers/clo/clo_09homosexuality.html

Note that the "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males.

(This is particularly disturbing when one considers the distinct physical as well as psychological disadvantage that the *receptive* partner in anal penetration is placed at: The bulk of the considerable risk of deadly infection as well as injury, ALL of the pain, discomfort and inconvenience that are endemic to this act, etc. )

"Note that the "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males."

What is your agenda here? Do you know all of the people in question personally and know for a fact it's all anal rape? Because you can't be more wrong, and that's a fact. Your claim is as silly and misinformed, as saying that all love between man and woman is limited exclusively to him sodomizing her and nothing else.

The love referred in the quotes above is what it should be - admiration, emotional comfort, having feelings to each other. What's wrong with that? Just because you can't imagine love without sex, doesn't mean everyone else is like that. And I don't claim sex can't be involved in this kind of relationship, but it can go both ways, with the younger partner being in charge. But sex is not required for love. You are taking the worst criminals, rapists and molesters, and project their deeds onto an entire group of people, because you don't understand them, and because they can't defend themselves, due to current laws. Try to say the same about black people or women, that they only rape each other and know no love.. let's see how you'll fare then.

What's disturbing is your comment and the way you twist facts to show other social groups as subhuman. Do you only rape your women/men? No? Neither do the people you accuse, in most of the cases. There are a few bad sheep, but aren't they common in all social groups?

I'm sorry for being off-topic here, but a voice of common sense, reason and simple human compassion was necessary. Even so so, my defense of those who deserve defending, will be seen as 'pedophile defense' so thanks God for TOR and the freedom of speech it enables.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Sorry if it was already asked, i can't find it. Is there any reliable information on what date the exploit could have been online for the first time?

You mean either you didn't look at all, or you didn't look very hard as the answer is posted a mere 18 post above users...

"As far as I know from what I have been reading is that it could be no less than 1 week but likely closer to 2 weeks before Aug 4th."

Poster is asking for 'reliable information'. Where did 2 weeks before 4th august info come from? Can the original poster provide a link?

The exploit caused browsers to crash out, so I guess it cant have been too far in the past. When did Tormail users start spotting issues?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Interesting coincidence that the big terror alert in Yemen coincided with the Tor exploit. All the talk is about CP sites. But was the exploit used against terror sites too? Or were they the real target and the CP sites "bonus"? Was the breach of Tormail related to the terror alerts???

If I had to pick my conspiracy theories, I'd be more inclined to guess that the timing of the Yemen publicity is more related to the "should we allow NSA to do this surveillance stuff" arguments that America is having right now.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

I've read through all of the above comments, and one of the questions I still have is in regards to the mechanism that this exploit uses to send the gathered information back out through clearnet. Does it have it's own means to access your internet connection? Or does it use your existing browser to send the information? If the latter, would running an updated version of FF (such as v.22) block this on the way out, or does the version only matter on the way into your system? TIA for anyone who answers.

Also, in spite of all of those who want to blame those of you at TOR for this, thank you for all the hard work you've done.

>>Or does it use your existing browser to send the information?

I am not a techie. However, my understanding is that this exploit sent this info back via the Firefox browser. It would not (and in fact could not) access your internet connection separately.

>>If the latter, would running an updated version of FF (such as v.22) block this on the way out, or does the version only matter on the way into your system?

The exploit does not work in in Firefox 17.0.7 ESR or Firefox 22.0. See here -

https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…
https://www.mozilla.org/security/announce/2013/mfsa2013-53.html

The exploit was able to run its own machine code (like an .exe) and used Windows OS functions to make a direct connection the same any other software on your machine does (including browsers, email, etc). The updated versions would have blocked that code from running in the first place.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

From another forum.

It seems to me like there are two possible reasons for this attack. First I find it very plausible that the NSA already knew who owned Freedom Hosting. In fact I think the owner claimed he became worried when he read about the Snowden leaks and then started researching Russian Visa's thinking he might flee. Incredibly convenient time for the authorities to suddenly figure out who he was and make an arrest.

I think the NSA knows that what they're doing is very illegal and unconstitutional and perhaps they're going to go on a rampage using the system for all it's worth while they can. As usual, they'll just break the law as much as they want to get an arrest and then apologize for it after. But unless convictions are overturned and the parties responsible are put in jail for circumventing the constitution nothing will change. It'll just be a game of political musical chairs and all the people they screwed over will remain in prison. They figured out long ago that whether it's invading a country, overthrowing a government, bombing a thousand people to kill one suspect, or misapplying the law like at the G20 in Toronto it's all good so long as you're done what you needed to do by the time the truth catches up with you.

Secondly it seems this may have also been more of a pr campaign. "Yes we're invading everyone's privacy and turning the world into an Orwellian state but look at all the children we've saved from being exploited!" You've got a problem with using dirty tricks to go after pedo's?! Unfortunately this kind of propaganda works on an alarming number of people. Every time the American government does something awful they always find a boogeyman to garner public support.
I would also like to point out that this appears to be the second time that Firefox has "accidentally" done something that allowed their browser to be exploited by a third party in the name of fighting child porn. The fist time it was a little more targeted but also a little more obvious someone at Mozilla was in on it. This time it was an entire host rather then one website.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

What about Aurora browser bundles (version 7)? I haven't heard anything about that.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

Here's an interesting question that doesn't appear to have been raised (apologies if it has and I've missed it). - Does the "phone home" exploit identify which website(s) a person visited to get it?

The exploit assigned a unique identifier and they will use it to tie your IP to the page you were looking at.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

excuse me if this has been asked and answered already. is it safe to say that any browsing using tor prior to the date of marques's arrest (i.e. therefore prior to the appearance of the "down for maintenance" pages on FH-associated websites) was unaffected by the malware?

No.

Very little is known about how the exploit was deployed, or when, or if they knew about the Firefox issue before it was announced by Mozilla. They could have been capturing IP addresses for weeks before the arrest (but this is unlikely - exploit caused browser crashes).

People are assuming its just a recent thing and Firefox 17.0.7 ESR Windows users are safe.

Does anyone know better than this?

Well, Firefox 17.0.8 was released this week

Fixed in Firefox ESR 17.0.8

MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

fair. any idea why the pages ould have all gone offline at the same time if it wasn't related to the deployment of the exploit? you'd think there wouldn't be a lot of incentive on the part of whoever as controlling them in marques's absence to have them go down.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

There is a list of all the sites affiliated by Freedom Hosting. If the gov's have access to the servers, would there also be logs on them? How much would be logged by FH?
Thanks.