Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb

The other thing is even living in democracy... but what is democracy? Bunch of people and more than half of them chooses the leader. But there is no guarantee that this half is educated properly and cannot be manipulated by media for example. If you have some media, connections and money under your finger... its no problem to create alternative reality for those people. And democracy becomes a funny word. Formally it is democracy ... but it can be a tyrany simultanelosly. The biggest problem is people think that democracy is something magical ... but its just another system created by humans... and therefore it isnt perfect... as any other systems made by people.

"Bunch of people and more than half of them chooses the leader. [...] If you have some media, connections and money under your finger... Its no problem to create alternative reality for those people."

so true bro, thats the best way to describe what they are doing to ignorant people, an alternative reality

Agreed about the historical abuses of the US government - but you forgot to mention that *right now* the government is circumventing its *own laws* by holding hundreds (including children) captive in Cuba without trial - and many have already been shown to be innocent of any wrongdoing but were simply in the wrong place at the wrong time.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

Ok ... these are my facts:

1. I was running FireFox 17.0.7 and had JS allowed.

2. Had crashes visiting FH sites.

3. As far as I understand these crashes are unrelated to the exploit since i had the patched version of FireFox (17.0.7)

4. I am safe of the exploit regardless I had JS enabled since i was running FireFox 17.0.7.

Am I right?

Thank you.

Yep.

Now, you weren't magically safe from other potential vulnerabilities in Firefox. The crashes could have been from other attacks for all we know.

Speaking of which, you should upgrade your TBB (Firefox 17.0.8 is now out).

following on from this - I downloaded Tor on June 23, yet it was 17.0.7. But this seems to contradict the formal release date as 26 June.
When was 17.0.7 actually released?

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

One thing is still not clear to me.
The message "Server down due to maintenace. Please try again in a few hours" or something like that, is that generated by the NSA site?
I notices in the discussion here that a lot of people got that message even though they where running Firefox or Iceweasel 17.0.7 and wouldn't be affected.
But if that message comes from NSA then the exploit ran and succeeded, hence they are compromised, or am I missing something?

It appears that everyone visiting those sites received that message, whether they were, in actuality, compromised or not, There is a difference between seeing the message and being compromised, as users of the updated 17.0.7 version also saw that message, but were not vulnerable to the attack.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

So what are you all guys doing that you are so concerned about privacy. Let me guess, you are all freedom fighters from North Korea? Because I can't imagine you are using TOR to access illegal stuff!

Because you concern only about your own butt living in "free" country abiding laws that were made by some "chosen" dudes does not mean everybody has to be as your kind. Yeah its hard to understand that someone thinks different than you think so it MUST be something illegal. I know you feel as the bad one here therefore you must criminalize those other people so you will look as a good guy.
Yep there are some "bad guys" that are using tor services... and there are some "freedom fighters" but telling all tor users must be one of only those two groups tells us that you lack of wisdom and some logic too.

I would say ... instead of insulting people just because you do not understand world you live in... you could study a bit instead. You would be surprised how sometimes world isnt just "black" or "white". Even with those two colors things arent so clear if they exist. Go look at wikipedia (or better find some fancy book about colors :)).

So any and all invasions of privacy and mass surveillance is justified because it might catch people who like to look at child porn? Paedophiles have become the modern day witches, and we are all supposed to accept anything that is done in the name of sniffing them out. IMO *nobody* should be made a criminal simply because they looked at a picture or read an article. Consider that it is a crime to look at an image of a child having sex, but not at an image of a child having their legs blown off by a predator drone. If it's all about child protection, which image is depicting the worst harm to a child? And what harm is caused to *anyone* by the act of looking at a photographs of either event? If you enjoy watching movies that depict illegal acts of violence, should you be treated as a criminal?

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

How is possible to know that the exploit affects only Windows users? I asking it because I read that all TBB is identified like "Windows NT". Does the code call a command that runs only on Windows?

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

Before anyone gives me the "check earlier in the thread" stuff, I have, and as yet there still has not been clear data on this (and admittedly, maybe this can't be factually discerned), but when was this exploit initially implemented? End of July, first day of August, first day of January 1937, you know...I had been running the "safe" version since the middle of July, but I know there are many people who updated later and would have a concern.

Don't know is the short answer.

However, what little evidence there is seems to point to it being implmented at the last weekend when the Freedom Hosting sites were taken down.

The effected sites had a "down for maintenance" message. I'm not clear whether the exploit tried to run when that "down" page was visited or whether the sites were actually down for real and the exploit was only implmented once they were back up (assuming they are back up).

It appears that the exploit (IF it worked on a user's browser and my understanding is that it doesn't work on Firefox ESR 17.0.7) also caused the browser to close or crash and those crashes haven't (I don't think) been reported by anyone prior to last weekend.

Also, if the exploit had been out in the wild for some time (e.g. since mid July) I'm pretty certain it would have been discovered prior to now.

None of this is 100% though. It could be that the exploit has been out on the loose for weeks and weeks.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

Arma, I see you mentioned somewhere before something about users of TBB on Windows are "screwed"

I havent seen much mention of people using TBB on Windows so far, so;

I always used the latest TBB version on Windows Vista with JS disabled and saw the "down for maintenace" on Tormail, as others have.

Was I and others in a similar situation safe from this exploit?

Thanks in advance.

Probably?

It sure sounds like whoever broke into the hidden service changed the content to say "down for maintenance". Then when you visit the hidden service, you get the content it serves you. Which I guess included that text plus some javascript.

>>Probably?

From what I understand, IF the original poster was using Firefox ESR 17.0.7, they would have been safe from this exploit (even if they had Javasrcipt enabled) since the exploit wouldn't have worked on their browser.

Isn't that correct?

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

Hey Arma

Some people said they had a white screen about 3 months ago that said that they was blocked and that their request had been logged when clicking on onion gateways.

Was this an IP grabbing exploit ??

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

I've never visited any .onion addresses using TBB, but could this vulnerability have been exploited by clearnet sites like Google, Twitter, Facebook or other sites using tracking codes from Google Analytics or others or traffic analysis sites, etc. to expose the real IP address of the visitor or would that be illegal/unfeasible/easily detected?

So is it a bad idea of using tor with clearnet? Im really confused now.
I mean ... I have an updated browser and Gnu/linux distro and dont need/use FB, Google, Twitter ... just old fashioned browsing/reading...

Most Tor users use Tor to visit normal websites. Hidden services are a toy that we whipped up to show what you can do once you have an overlay network.

In short, keep your TBB up-to-date, and consider following the other advice in the advisory This whole episode had very little to do with whether it was a hidden service website or a 'normal' website.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

Question.. wouldn't it make sense to randomize the Tor Browser user agent some? It's not like picking a Firefox 17 user agent 'randomly' on the basis of a statistical distribution of the top 50 or so would break compatibility with any legit sites... heck given the way Firefox is now giving updates barely worthy of a new minor version a new major version number, why not use a pool from Firefox (3.)"10" up to version 133 or whatever they're calling it now?

Do you choose a new random user agent every time you fetch a new page? In that case you look weird pretty quickly, since no normal browsers do that.

Or do you pick from the pool and stick with your choice? In that case you've just made a little mini-cookie for yourself.

I like the idea in theory, but in practice it seems to have some big problems.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

NoScript not enabled by default on latest version of TAILS just released today (0.20). That is like shipping condoms with pinholes in them.

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

What about Orbot and Orweb? Is Javascript enabled by default? Is there any way to disable it?

Anonymous

Anonymous (not verified) said:

August 09, 2013

Permalink

I haven't used TOR within the last month but I haven't updated until today, would I still be affected by this exploit?

Anonymous

Anonymous (not verified) said:

August 10, 2013

Permalink

ARMA please put back the link, why not to the https://trac.torproject.org/projects/tor/ticket/9391 (PT TBBs out-of-date)? There are links to the Pluggable Transports Tor Browser Bundles with new Firefox. So much days new compiled are there and people generally don't know. Imagine how much harm for these people are outdated browsers compared to non-automate builds. TOR DEVELOPERS! PLEASE! Users that need PT the most are arguably the most vulnerable people, they need more care than you are showing! Add every working version you can to the downloads and always note what version of components you are distributing there

Define the word "illegal" ... no... go ask Obamas thugs. Your definition is unimportant.
Oh.. yes when you will be there ask for word "justice" too.

Anonymous

Anonymous (not verified) said:

August 10, 2013

Permalink

can someone please tell me if there are security risks concerning some popular anti-virus programs out there? as i am new to TOR, i will need a basic list of certain companies plugins to avoid. if there are any to avoid. or a more simplified reason to avoid any downloads with plugins that could be used to identify my IP address. and also, is the TOR BUNDLE DOWNLOAD, the security update? the tor webpage didnt have anything called "security update"? please help.

Anonymous

Anonymous (not verified) said:

August 10, 2013

Permalink

I opened "about:config" in Firefox and changed the user agent string to something completely different than Firefox and Windows NT. Went to whatismybrowser.com and it showed what I had typed in, not Firefox or Windows NT. I wonder if the exploit needed the original entry to execute and would not have executed with my changes.

Anonymous

Anonymous (not verified) said:

August 10, 2013

Permalink

Ok, let me just start off by saying this is probably a really dumb question, so please forgive my ignorance! Anyway, I have never used Tor or the Browser Bundle before, and have never been to an onion website. I just read about this exploit online and was curious about the subject of Tor and the hidden internet (if that is the right thing to call it). So I was browsing through some articles and blogs online about the exploit and one of them had a list of onion sites that had supposedly been affected by the exploit. So while I am scrolling down the page on my iphone (running the normal Safari browser), my finger accidently hits one of the links to these onion sites (they were highlighted as links, so if you clicked one of them it would try to open). I immediately hit close, so it didn't have time to open anything. But I am just wondering if there is anything I need to worry about with this. From what I have read over the past couple days, my understanding is that you can't even get to these onion websites on a normal browser, such as Safari. Is that correct? If so, does that mean there is no way this exploit could have effected me? My javascript was enabled if that mattered, but I was obviously not using Windows or Firefox.

Right. .onion is a non-existant top level domain. If you type a domain name with it in the end in the address bar of a browser which isn't using the Tor network you will get a message from your browser (not a remote machine) saying something like non-existant domain. A domain name which ends in .onion just has sense inside the Tor network. You cannot be exploited because your browser isn't requesing any website. On the other hand, if you browse the Internet without using Tor, your real IP address is already sent to the server, no exploit is needed. This is just how the regular Internet works.

Anonymous

Anonymous (not verified) said:

August 10, 2013

Permalink

Have yet to see a detailed description of the maintenance page. Was the text center-aligned / mid page or located at page top ? Did the reported crashes occur immediately after visit or later ?

Anonymous

Anonymous (not verified) said:

August 10, 2013

Permalink

One of the things I find strange is why the attacker put the exploit on a generic "Down for maintenance" page. Surely, if they wanted to tie a specific Tormail account to a specific IP address, they would have injected the exploit after a login page. At the moment they might have something like Mr X tried to access Tormail, but so did Mr Y, Mr Z and a load of other people. What good is that for gathering intelligence? Something is off. Any thoughts?