Silk Road forums

Discussion => Silk Road discussion => Topic started by: slash on August 07, 2013, 10:00 pm

Title: question about the recent FH event?
Post by: slash on August 07, 2013, 10:00 pm

tor-announce] Tor security advisory: Old Tor Browser Bundles vulnerable

SUMMARY:
  This is a critical security announcement.

  An attack that exploits a Firefox vulnerability in JavaScript [1]
  has been observed in the wild. Specifically, Windows users using the
  Tor Browser Bundle (which includes Firefox plus privacy patches [2])
  appear to have been targeted.

  This vulnerability was fixed in Firefox 17.0.7 ESR [3]. The following
  versions of the Tor Browser Bundle include this fixed version:
    2.3.25-10 (released June 26 2013) [4]
    2.4.15-alpha-1 (released June 26 2013) [4]
    2.4.15-beta-1 (released July 8 2013) [5]
    3.0alpha2 (released June 30 2013) [6]

  Tor Browser Bundle users should ensure they're running a recent enough
  bundle version, and consider taking further security precautions as
  described below.

WHO IS AFFECTED:
  In principle, all users of all Tor Browser Bundles earlier than
  the above versions are vulnerable. But in practice, it appears that
  only Windows users with vulnerable Firefox versions were actually
  exploitable by this attack.

  (If you're not sure what version you have, click on "Help -> About
  Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])

  To be clear, while the Firefox vulnerability is cross-platform, the
  attack code is Windows-specific. It appears that TBB users on Linux
  and OS X, as well as users of LiveCD systems like Tails, were not
  exploited by this attack.

IMPACT:
  The vulnerability allows arbitrary code execution, so an attacker
  could in principle take over the victim's computer. However, the
  observed version of the attack appears to collect the hostname and MAC
  address of the victim computer, send that to a remote webserver over
  a non-Tor connection, and then crash or exit [8]. The attack appears
  to have been injected into (or by) various Tor hidden services [9],
  and it's reasonable to conclude that the attacker now has a list of
  vulnerable Tor users who visited those hidden services.

  We don't currently believe that the attack modifies anything on the
  victim computer.

WHAT TO DO:
  First, be sure you're running a recent enough Tor Browser Bundle. That
  should keep you safe from this attack.

  Second, be sure to keep up-to-date in the future. Tor Browser Bundle
  automatically checks whether it's out of date, and notifies you on its
  homepage when you need to upgrade. Recent versions also add a flashing
  exclamation point over the Tor onion icon. We also post about new
  versions on the Tor blog: https://blog.torproject.org/

  Third, realize that this wasn't the first Firefox vulnerability, nor
  will it be the last [10]. Consider disabling JavaScript (click the blue
  "S" beside the green onion, and select "Forbid Scripts Globally").
  Disabling JavaScript will reduce your vulnerability to other attacks
  like this one, but disabling JavaScript will make some websites not work
  like you expect. A future version of Tor Browser Bundle will have an
  easier interface for letting you configure your JavaScript settings [11].
  You might also like Request Policy [12]. And you might want to randomize
  your MAC address, install various firewalls, etc.

  Fourth, consider switching to a "live system" approach like Tails [13].
  Really, switching away from Windows is probably a good security move
  for many reasons.

  And finally, be aware that many other vectors remain for vulnerabilities
  in Firefox. JavaScript is one big vector for attack, but many other
  big vectors exist, like css, svg, xml, the renderer, etc. We need
  help improving usability of (and doing more security analysis of)
  better sandboxing approaches [14] as well as VM-based approaches like
  Whonix [15] and WiNoN [16]. Please help!







only old version of TBB could be affected by the exploit as vulnerability was fixed in firefox 17.0.7,

can someone confirm this is correct info?and how torproject happen to be aware of that vulnerability before it occurs?

thanks

Title: Re: question about the recent FH event?
Post by: astor on August 07, 2013, 11:12 pm

Please take some time to read the main threads on the forum before you ask a question.

As has been said many times in many threads and on many web sites, yes, only older versions of the browser bundle are affected. If you are using the latest browser bundle, released on June 26, you are safe against that exploit.

I don't know if they knew specifically about that exploit until the reports came in that it was being used on FH, at which point they would have checked with the Mozilla people and confirmed that it was fixed in the version of Firefox that they used to build the latest Tor Browser.