Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb

>>would there also be logs on them? How much would be logged by FH

Who knows. There might be logs. However, even if there were logs so what. This is TOR remember. If, for instance, an oinion site logged the IP addresses of computers accessing said site, the IP addresses logged will be the last person in the TOR chain, not the IP address of the actual person getting their mail/drugs/cp. Therefore useless to LEA (or whoever else might want it)

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

Lavabit mail is down for maintenance the whole day. The mail service isnt working. Can it be somehow related to this stuff? Did those nasty pigs went crazy? Are they going to shut down the whole internet because of bunch of another pigs?

Hi and thanks for reply.
The Lavabit shutdown really surprised me... as well as all the mess that happened recently. The more funny it seems when you go outside and you see happy people living their peaceful life in democracy. Its really depressing sight.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

Besides the obvious (disable Java, JS, flash, etc) the one big take away from this incident should be:

DO NOT HOST IN WESTERN NATIONS!!

Do not host anywhere that has extradition laws established with US/UK. Host in BRICs nations, nations hostile to the west or countries that have a history of snubbing copyright law.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

For everyone blaming TOR, the issue really wasn't TOR at fault but Firefox. In addition when you buy a deadbolt for your house, it ships as being unlocked. It's up to YOU to install it and LOCK IT. The option to turn off Javascript was always there for you before you went to an onion site, default on or default off. So stop your crying because you visited questionable content.

No, the fault was of whoever decided to enable javascript BY DEFAULT in TorBrowser. This was a very short-sighted decision and the Tor team should have really known better. You don't make a security software and then fuck everything up with bad choices like these. Ir some retards want to enable Javascript they can do so, at their own risk, exactly as they can disable Tor alltogether if they don't care about their privacy being compromised.

The "stop your crying because you visited questionable content" is just a dumb sentence since most people if not everyone who uses Tor wants to view and/or produce questionable or unlawful content and this does not automatically mean "right" or "wrong".

Bullshit, most people who use tor don't have a clue how things works. Just because it was always there doesn't mean it is ok, because torproject is claiming to protect people's privacy.

Remove these claims from the torproject frontpage and nobody would say shit.

Anonymity Online

Protect your privacy. Defend yourself against network surveillance and traffic analysis.

Tor prevents anyone from learning your location or browsing habits.

Tor is for web browsers, instant messaging clients, remote logins, and more.

Doesn't fucking work that way when you enable javascript by default now does it.

The content that people choose to browse is completely irrelevant. Tor developers changed the default setting of NoScript, encouraged all its users to browse with JavaScript enabled and justified it as making them more anonymous. Do you know how many past Tor exploits relied on JavaScript? Every single one of them.

When the torproject team openly lies, it makes you wonder what else they are doing behind your back and what else is hiding in their codes.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

At lease 1.1 to 1.2 are reportedly needed to access websites configured with Elliptic Curve Epermeral Diffie Hellman cipher suites needed to achieve perfect forward secrecy (PFS) access.

Firefox 23 just bumped TLS 1.0 to 1.1, and version 24 will have v1.2. It is distributed as 1.0 and you have to use about:config to manually set it because they removed the encryption select tab in advanced options in this version.

Is similar TLS upgrades planned for versions of Tor Browser? If not should they?

RT is reporting that Lavabit voluntarily shut down the site because they refused to give in to government pressure regarding the Snowden case. Apparently they new Snowden had an account there and went after the site owner. Gotta applaud him for not giving in. More then I can say for Skype, Hushmail, Hidemyass etc.

Now I'm wondering if the Freedom Hosting takedown was also related to Snowden. Hell of a coincidence.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

if someone uses IE/Firefox/whatever for "normal" browsing, and uses tor for anything that they want to be private (whatever that may be, banking, specific private correspondence, etc), and browses in tor with scripts disabled globally, is there any way in which the javascript exploit could have compromised the intended privacy? let's assume that this is with an outdated version of TBB. if when browsing using tor, all other browsers were closed and scripts were disabled, would there have been anything else that could have enabled the exploit to work? in task manager at any given time there are all sorts of items that communicate with the outside world (divxupdate.exe, as an example). when i use tor i try to take care to shut such items, but you never know. i understand that with scripts disabled technically the exploit probably didn't work, but is there any other way in which the computer could have been compromised in the process by the exploit?

Anonymous

Anonymous (not verified) said:

August 20, 2013

Permalink

Please learn the difference between privacy and anonymity. Tor is not made to protect your privacy it is made to protect your identity i.e. provide anonymity for you. You may use it for private matters too but in that case you are trusting the ExitNode owner to not launch an man in the middle attack against you. In general: Do not use a Tor connection to do private stuff.

No, this is poor advice.

These words 'anonymity', 'privacy', and 'security' are basically synonyms -- you need to understand what the security properties are and what threats Tor defends against (and doesn't defend against).

You might like the explanation in my "Internet Days" talk: see item g at
https://www.torproject.org/docs/documentation#UpToSpeed

Using a Tor connection to do private stuff is totally reasonable. But if you're not using end-to-end encryption and authentication on today's Internet -- **whether you're using Tor or not** -- you are in for some surprises.

See also
https://svn.torproject.org/svn/projects/articles/circumvention-features…

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

I'm not sure which is more baffling and disturbing:

a) The fact that neither arma nor any of his colleagues have addressed the glaring, utter CONTRADICTIONS between a number of his posts here regarding JavaScript and what is stated at
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled ,
or,
b) The fact that no one besides myself seems to be bothered by a) (or even /noticed/ it)

https://trac.torproject.org/projects/tor/ticket/9387

I skimmed and did a Ctrl-f for "faq". Nothing.

Incredible. Absolutely incredible.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

PEOPLE!

I CAN'T BELIEVE YOU'RE SO STUPID!

Please read why:

This is one of the methods how to trace back owners of tormail:

[root@bsd ~]# dig tormail.org MX

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> tormail.org MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54154
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;tormail.org. IN MX

;; ANSWER SECTION:
tormail.org. 2203 IN MX 15 backup.incoming.tormail.org.
tormail.org. 2203 IN MX 10 incoming.tormail.org.

;; Query time: 338 msec
;; SERVER: 255.255.255.0#53(255.255.255.0)
;; WHEN: Thu Aug 8 11:00:06 2013
;; MSG SIZE rcvd: 77

So if you had a legal power to use trace, you can trace owners of these 2 servers (for some reason they still respond to ping). So what feds had to do, is just go to those machines and install appropriate software and wait for the fish. Everybody knows that you can't keep server secure if someone has access to physical machine AND ESPECIALLY IF SOMEONE GOT ACCESS TO PHYSICAL MACHINE ON WHICH YOU NEVER HAD FULL ACCESS. So what I'm saying that I'm not surprised that they got caught. It was just a matter of time when this supposed to happen.

Yes, fucking feds and their ass kissers destroyed a lot of stuff, not just stuff, but lots of great and very useful and because of that I'm very very sad, but on the other hand, it is good that they raided them because YOU CAN'T RUN ONE OF THE MOST ILLEGAL STUFF ON THE PLAN ON -> SOMEONE ELSE'S RESPONSIBILITY <-. If you have a good plan and want to make it into real thing, then you need to learn how to do that yourself. As a person with 15 years of IT security I can only advice you to NOT run anything illegal on windows or linux. Choose OpenBSD. Go and read yourself why.

Also security of your server/servers should be higher than the one in banks or super secure government agencies. If there is a information leak - they could still survive, but what happens when someone will get your IP address - can you ?

Good luck

Good luck.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

I have version 10.0.10 ESR.

According to WhatIsMyBrowser.com, my Javascript is disabled. I have NoScript running to block scripts globally. However, I noticed that my Firefox still has the 'Enable Javascript' box clicked. Does NoScript override that? It would seem tht it does but I thought I should ask, anyway.

Yes, that is how it should work with NoScript. That lets NoScript allow through white listed sites that you want to be able to run scripts while blocking everything else. If Enable Javascript is unchecked, the whitelisted sites would get blocked too.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

Sometimes when you hit the S button to disable scripts globally, and you then move to a different page, there is a separate time that you have to tap the button to specify whether you are willing to allow "about: blank". of course, by the time you get that, you're already on the page where you need to specify it. Here's my question: does that limit the effectiveness of the block on this particular malware script? If you were using an earlier version of TBB, had selected the "forbid scripts globally" option, but still had this "allow about: blank" issue on various pages, does that somehow eliminate the protection that you were supposedly afforded by having selected the "forbid scripts globally" option in the first place? Thanks.

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

hi, is there any difference between having checked "forbid scripts globally" on the "S" icon through noscripts and having disabled javascript through options? i ask since on "normal" firefox if you enable noscripts and then go to about:config and search for "java" it seems that javascripts are still enabled. does the noscripts function just serve as a redundant blocker of scripts, i.e. noscripts and disabling scripts through firefox are like having two separate locks on your door? or is one better/more secure than the other and did one offer better protection against this exploit than the other did?

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

" Sorry, your query failed or an unexpected response was received."

Appreciate ur timely, and reasonable responses to all this chatter. Just launched TBB and received this reply. Tried to relaunch a couple of times, never seen it before. Your thoughts?

Anonymous

Anonymous (not verified) said:

August 08, 2013

Permalink

If some one ran a relay in the tor net work would they be at risk exit nodes get raided all the time

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

so LAVABIT was raided too ... and is down.
Those server shutdowns are really going nuts. This is not just about some CP on deep web. This is about ordinary people too and I think that its really time that those stupid masses already get it whats going on. In US is just forming new Nazi state with one race which is dominant. They have it written even in constitution.

This is on their website now:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

>>This is not just about some CP on deep web.

In view of the fact that Lavabit and Silent Circle have suspended operations it's looking increasingly likely that it was about getting access to TOR...

I red that about silent circle yesterday ... its just crazy. I questioned how it is possible that one country can do whatever it wants under the flag of empty words like democracy justice and blah blah blah... then I watched Jacob Appelbaum in some german Tv speaking with some political dudes and realized... that many countries are ruled by bunch of old and stupid cocks... and this is it. The most sophisticated answer on every question in the universe...

And another question is... what email service can I now use instead of lost lavabit?

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

So, if I'm right, to clarify:

1. If you've been running TBB with NoScript set to block ALL scripts then you are safe regardless of TBB version.

2. If you've been using the latest TBB then you are safe since June 26th but we don't know how long prior to that the vunerability was being exploited and you may be at risk if you allowed Javascript

3. If you've been using an old pre June 26th version of TBB and had javascript
enabled then you have been compromised.

The assumption is that this vunerability has only been exploited recently because an ongoing exploitation (ie pre June 26th) would have been 'spotted' considering how quickly the community has unravelled it in the last few days.

1. Yes

2. If you updated your version of TBB then you'll be safe (from the date you updated it) even if you had javascript enabled.

3. Yes

Your assumption seems reasonable.

I'm not sure about the assumption. For quite a few months I've noticed that if I (stupidly) had left Javascript turned on and if I was on a Mac, then I would find some random browser crashes while surfing that I never noticed when on the PC.

Each time it would happen I would (a) curse at my stupidity for turning on, and then forgetting to turn off, Javascript, and (b) not grasp the significance of why I was having no troubles on Windows.

You don't say what operating system you're runing on your Mac. If it isn't a version of Windows then your crashes weren't caused by this exploit as it only targets the Windows operating system.

(Although you didn't specifically say so, I'm presuming that you only enabled javascript on your Mac and that's why you "grasp the significance of why I was having no troubles on Windows.")

When you say "random browser crashes while surfing" you are talking about using TOR here aren't yo? Not browsing the net normally using an ordinary browser outside of TOR?

Imo, if this exploit had been on the loose for sometime (and if it consistently causes browser crashes/closures when running) then the subject would have come up for public discussion as quite a lot of people would have been affected. And that's not the case.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

I'm glad I always used standalone Tor in conjunction with whatever networked apps I deem appropriate - not just browsers - rather than the so-called bundle. Yjis last attack report has only confirmed my views once more, as wekk as Tor devs' ill founded insistence on having users browsers default to scripting enabled, even after proven targetted attacks have emerged!

Please don't even start to say that I'm any less secure by configuring my own browser myself (no java no javscripts no scritps at all indeed, DNS properly guarded etc etc) than if I were merging with the flock. It's the exact opposite.

Tor once used to be nice innovative technology, but I feel the Torproject has been going the wrong way for too long now. Not that their people are bad, only, I think, somewhat misguided.

IMnshO the TBB should be stopped immediately and R & D should, again, focus on the core Tor system, including : - use of UDP , - decoy traffic, - fixed length cells , - randomized delays ...

--
Noino

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

haha a bunch of ре dоs in this thread are scared to death. and you should be! 99% of all tor users use it for ILLEGAL stuff. otherwise why use it in the first place?

I liked the way they phrased the answer in the NSA whistleblower talk at 29c3:
http://events.ccc.de/congress/2012/Fahrplan/events/5338.en.html

"What do you have to hide, because you haven't done anything wrong? You don't get to decide what counts as wrong. They do."

By your logic we should all be fine and happy that the NSA and other governments are building enormous databases about everything, because after all "we haven't done anything wrong." They get to decide *after the fact* what they want to look for and what counts as bad. And nowhere in the process do you get to try to explain to somebody why they are confused and actually you didn't do anything wrong.

If the government can build these databases then they WILL eventually abuse it (if they're not already).
Young people may blindly believe (as most do) that at any given moment the human race is at the height of fairness and enlightenment. It's just a matter of time before the next great "victimization" occurs.

This is a country that committed genocide against the native Americans, got rich off of kidnapping Africans and turning them into slaves, rounded up Japanese and put them in internment camps, made jailed people who didn't fight in various wars when conscripted, made it illegal to refuse to salute the flag or recite the pledge of allegiance and went on a witch hunt to persecute those who they suspected of being communists.

How do you think a presidential candidate is going to fare 10 years from now if his first order of business is going to be to cut the budget of the massive security complex once elected? This is the END of a democratically elected government in this country. Not that what we've had the last 14 years has been entirely on the up and up!