Jump to content

Exploit vendor drops Tor Browser zero-day on Twitter


Recommended Posts

A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.




Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.


In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.


NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.


Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.


According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected.


The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API.


The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series.



In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer.


Maone was not aware of the vulnerability before ZDNet contacted him earlier today.


After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects.


"I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet.



The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication.


In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day.


"We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet.


"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.


"We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.


"The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.

"If a user sets his Tor browser security level to "Safest" aiming to block all JavaScript from all websites e.g. to prevent exploits, the disclosed bug would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code, making the 'Safest' security level useless against browser exploits," Bekrar added.


ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript


UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017.



Link to comment
Share on other sites

10 hours ago, steven36 said:

Update your browsers people i think i may start using uMatrix with my copy for a extra layer  of protection .:blink:


Wise choice. I have always used it as an additional layer.  Sometimes it may interfere with a trusted website but is easy to turn off for those few occasions.

Link to comment
Share on other sites

I don't think this works if you turn JavaScript off in about config. Noscript let's the code load just not run, the switch in about config doesn't even let it load. One extra step takes about 30 seconds

Link to comment
Share on other sites

8 hours ago, straycat19 said:


Wise choice. I have always used it as an additional layer.  Sometimes it may interfere with a trusted website but is easy to turn off for those few occasions.

I use it in Firefox always just not normally not in Torbrowser  ,i stop using Noscript in Firefox long ago  before they had uMatrix for Firefox  i was using Policeman .. But because TOR Devs said it's best not to run other addons  other than the one that comes with it because of exploits i just was using it as they said.   but i think they more was talking about addons that calls home witch are more likey to be exploited in Firefox . uMatrix just blocks out the any 3rd party  websites from being able to exploit  you    .

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...