Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb
Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

HELLO!

Have an older version of TBB (maybe updated last year) on my laptop I use only when my work computers are down. I am sure that it has the version exploit could run on. I last used it mid July but always set the button to no scripts (s tab with blue cross out) for fear of adware and viruses. Not sure if I visited any of those freedom host things, i know i didnt get anything sayingdown for maintenance. but nonetheless am I at risk?

Did the malware only take advantage of stupid people with their scripts left on or did effect those with even the no script turned to block all? Could someone with knowledge respond? Thanks

If you have scripts disabled, then as far as we know this exploit couldn't exploit you.

(But there are still other vulnerabilities in older Firefoxes that don't need scripting to work. Upgrade!)

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I know it says above that it was aimed at users with windows, so its that a 100% the attack wouldn't have happened on a mac?

The exploit payload used Windows-specific code. So it's pretty clear this exploit wouldn't have worked on OS X.

That doesn't mean there wasn't some alternative exploit out there (the vulnerability was cross-platform after all), but nobody has seen one.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I always thought that any C/C++ based software is inherently unsafe.
The language is simply too complex and it is just too easy to fuck something up. This is not a matter of "being good coders", this is really a matter of a programming language that makes it too easy to screw something.

I do really think we should move on to newer/better languages. One of them is Go [ http://golang.org/ ]. By using a modern language such as Go which includes several improvements over C/C++ (goroutines, garbage collector, no pointers arithmetic, faster [and easier] compilation time, etc) we could really make our softwares much more robus and safe. It is clear by now that this is becoming an emergency... the more we surround ourselves with gadgets the more we will easily fall prey of hackers and shameful agencies working against their citizens.

What i propose here is to write a custom web browser (in go for instance) that supports only basic HTML and CSS and that relies only on go libraries and to make it the tor-browser. My proposal could be extended to Tor itself in order to prevent exploits in it too.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Here is another scenario.
Let's say you want to avoid c*p and illegal stuff on deepweb so you turn off images.
But you need JS for some reason and forget to disable it again.

Then a few days ago you load up your now outdated and vulnerable TBB to find most FH sites are down or act weird.
You go to legal but infected onions on FH or Tormail with the maintenance message, and BAM they have your real ip, mac, host.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

They know what site you have visited by sending not only MAC and hostname but also some sort of generated ID from the site.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Confused here, just wondering, if you don't mess with Noscript options at all, but still go into options and disable Javascript, that still disables it right? Does it disable anything else?

Restoring NoScript to the default setting of blocking scripts globally may be the preferred option.

See:
http://noscript.net/faq#qa7_5

"Disabling JavaScript using your browser built-in settings (or the IE's < IFRAME SECURITY="restricted" > feature) actually disrupts any JavaScript-based anti-Clickjacking protection the target site may have deployed. The good news is that this limitation does not apply if you use NoScript, thanks to Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a “frame busting” script, the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference."

Restoring NoScript to the default setting of blocking scripts globally may be the preferred option.

I meant, of course, the actual NoScript default and not the TBB/Tails default that has NoScript set to allow scripts globally.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

If you have javascript OFF and still get a crash, could the malware still have been executed?

i wan to know this as well, I was using the most recent TBB with Javascript off and i got the crash since i kept refreshing the "down for maintenance" page...

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

would this have displayed/sent back the MAC address for the wireless modem/router, or just the computer/wifi card on the motherboard?

Is there any reason to doubt that this MAC is sent along trunk fiber to all sorts of major destinations -- that are PRISM'd with taps (just before branch-off to their final destination reaching major company servers such as those named in recent weeks)?

Is anyone confident that Windows' Update software doesn't find and send the MAC over as part of Windows authentication and/or computer ID/fingerprinting? And similarly, many non-OS apps? Skype's rummaging around never uses the MAC for computer ID or any other unknown purposes?

And all these communications are all sent thru super-securely, PFS etc?

The idea that MAC correlation to IP and other fingerprint data is some closely guarded secret in this age....doesn't that seem strange ?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Firefox 17.0.8 HAS BEEN RELEASED TODAY.

Fixed in Firefox ESR 17.0.8

MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Hi Arma,
So in confirming from the advisory, users on OSX running the latest version of TBB but had JS on were not affected regardless of JS being turned on?

I also assume that regardless of the exploit working or not, a person would still see the 'Outage' message on the page?

For example if an OSX user were running an older version of TBB, but had JS turned on they would still not be affected due to this being Windows based?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

What the fuck is torproject thinking still having javascript enabled by default?

The whole point of using tor is to stay anonymous, if people want easy access to the net they would use IE instead.

why the fuck would people want the biggest exploit enabled by default? Are they paid by you know who to keep the backdoor open?

https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

What a load of bullshit excuses.

What they are saying is they recommend you to enable javascripts on all sites so they won't notice you're using tor, thus increase your anonymity.

These excuses may fool newbies, but not to anyone remotely tech savvy on browsers.

So what if they "uniquely identify your browser", as long as you never post personal information on tor they'll never know who is using that browser, and that is the whole point. Explain to me how all users have javascript disabled by default, and almost everyone enable javascript for youtube will 'very likely to uniquely identify your browser'?

Also it's not like it's hard to find out a visitor is from a tor exit node, hell the "Firefox 17.0.x" useragent alone is already a big sign someone is using tor.

Javascript expose so much more info about your browser and os (screen resolution, installed fonts, etc), now THAT is what is 'very likely to uniquely identify your browser', how do they explain that?

Anyone telling you having Javascript enabled is safer is sleeping with the FEDs, period.

Stop the lies and disable javascript by default, NOW.

The thing to know about Tor developers is that they have major hard ons for unlinkability and don't really care as much about untraceability. They think a win is if you go to website A and then website B, and 99% of the time the same attacker can not link you to both sessions. They don't care as much if 1% of the time any attacker can link you to either website A or website B. This is evidenced in a lot of the choices they have made: quick circuit rotation (even much quicker in the past at 30 seconds, raised only to reduce load on the network too), a suggestion to leave javascript enabled to reduce browser fingerprinting despite opening you up to an entire class of hacking techniques that could deanonymize you, etc. Tor developers have a different threat model in mind than a majority of their users do. You don't want to be traced ever even once, they don't want an attacker to determine that you went to Website A AND Website B.

They also are very concerned about getting as many people using the network as possible, and will sacrifice security for useability. This also contributed to their choice to leave javascript enabled. It also contributes to their choice to give you three entry guards even though you are much more secure with a single entry guard or possibly two. It is also why entry guards rotate so much. It is also why they bundle everything together and make it extremely hard to use individual components in custom configurations (oh we cannot ship Tor browser independently, some people might think it uses Tor even if it isn't configured to!).

So pretty much we have a few issues. The first issue is that our threat model is not the same threat model as the Tor people are focusing on. The second problem is that they have taken to pandering to idiots. The third problem is that they have taken to pandering to people who want to watch cat videos on youtube.

That doesn't make sense. Enabling javascript is EXACTLY what let them track you from website A to website B.

Let's take a look at torproject.org's frontpage, which states:
Anonymity Online - Protect your privacy. Defend yourself against network surveillance and traffic analysis.

Enabling javascript by default doesn't protect your privacy, period. Sugar coating it doesn't change the fact.

Many webs sites load javascripts from ajax.google.com and also from facebook.com for the 'like button' javascripts, and that gives them details to profile your browsing habbits. Combined with the 100s other tracking javascripts, and the http refer header, you're pretty much dead on the water as long as javascripts are on.

Tor was designed for privacy, I don't care what 'threat model' they are using, if they enable javascript by default then someone in that organization is sleeping with the FEDs. What is so hard to have it disabled by default and only enable it when you really need them? By enabling javascript by default they are tricking those non tech savvy people into leaking information to everyone out there.

More information on how 100s of companies are working together to track you online:
http://www.ibvpn.com/blog/2012/07/how-far-are-you-being-tracked-on-the-…

http://www.forbes.com/sites/kashmirhill/2012/02/29/heres-the-best-and-p…

http://www.alternet.org/story/153592/are_you_being_tracked_8_ways_your_…

Yeah you have a good point actually. The Tor developers reason for turning javascript on actually makes no sense at all. It doesn't protect you from linkability when you get fucking hacked through your browser and rooted. So pretty much their entire defense of turning javascript on has crumbled.

Right, Tor is a specialized tool to ensure privacy, that is its core function, its sole reason for existence.

The Torproject team should make it easy for people to maintain privacy, not make it easy for people to watch youtube. That means disabling javascript by default, not the other way around.

The Torproject team have lost their priorities and got it all backwards.

Something just isn't right.

You're right about what Tor is -- it's a proxy which, when used correctly, tries to anonymize the traffic flows going through it.

Using this proxy safely, for browsing, introduces a world of new headaches. We have tried to address them with TBB, but it's certainly not easy. And keep in mind that TBB is relatively new compared to the Tor program itself.

See the end of the advisory for links to approaches that can make this better. And then help us do it!

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

partners in crime? We've been screaming about it for a while and the Devs said , ...move on, nothing to worry about and now here we go, a successful JS exploit on TOR. Great job guys!!

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Hey retaaaaaards, if we wanted to surf the net easily we'd still be be using IE, make TBB turn off the damned javascript by default, NOW!

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

The only safe way now is to install a new and clean windows in virtualbox, then install TBB, after that take a snapshot of the virtual machine, so you can restore it to a brand new state after each shutdown.

Set the DNS server to some bogus IP address also helps, no accidental connection to legit domains.

Tails has more holes than swiss cheese, it also enables javascript by default.

The user base for Tails is not large enough to detect hidden backdoors. At least with a new copy of windows you can have a firewall that lock things down PER PROCESS, you'd know exactly what program is making connection and block all processes except TBB. You can't do this with tails.

Suit yourself -- if you're a Windows expert, go for it. Not many Tor users are Windows experts I bet.

Alas, your approach doesn't scale: Windows isn't free software, so that "new copy of windows" you describe is tough to distribute legally.

As for the Tails user base, their June statistics see a Tails boot every 18 seconds on average:
https://tails.boum.org/news/report_2013_06/index.en.html
That would seem to be quite a few users.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Stay away from PRISM, people, use the Snowden torrc

#The Snowden torrc config
#Skips major Prism countries and only from a Russia IP
ExcludeNodes {us},{gb},{ca},{au}
ExitNodes {ru}

A while ago I was talking to people in Sweden who were lamenting Sweden's new "we log everything that goes across our national border" surveillance approach. These same people also pointed out that much of Russia's Internet traffic transits Sweden. Careful with this more-centralized-than-you-think Internet we've got.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

This is funny, the noscript button states:
Allow Scripts Globally (dangerous)

And these torproject idiots LEFT IT ON by default?

https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

What a load of bullshit excuses.

What they are saying is they recommend you to enable javascripts on all sites so they won't notice you're using tor, thus increase your anonymity.

These excuses may fool newbies, but not to anyone remotely tech savvy on browsers.

So what if they "uniquely identify your browser", as long as you never post personal information on tor they'll never know who is using that browser, and that is the whole point. Explain to me how all users have javascript disabled by default, and almost everyone enable javascript for youtube will 'very likely to uniquely identify your browser'?

Also it's not like it's hard to find out a visitor is from a tor exit node, hell the "Firefox 17.0.x" useragent alone is already a big sign someone is using tor.

Javascript expose so much more info about your browser and os (screen resolution, installed fonts, etc), now THAT is what is 'very likely to uniquely identify your browser'.

Cut the BS and disable javascript by default, NOW.

BS, javascript expose your OS/Screen resolution/Installed Fonts.

Anyone telling you having javascript enabled is safer is sleeping with the FEDs.

Who wrote that anyway? It's time to name names.

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

These comments should be directed at the **TOR PROJECT** as I was merely **QUOTING** /their/ FAQ, found at:
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

and noting that the recent comments on the matter that were posted by "arma", an official representative of the very same Tor Project, glaringly contradict the statements in their FAQ that I quoted.

For this alone-- the glaring contradiction and the lack of any response to it thus far from anyone at the Tor Project (despite numerous other comments being posted by arma in the time since I pointed-out the contradiction)-- people should be alarmed and demanding an explanation, regardless of where anyone may stand on the question of JavaScript itself.