In a critical security advisory issued over the weekend, the Tor Project told its users that they should seriously consider migrating away from Microsoft’s Windows operating system and disabling JavaScript.

The Tor Project security advisory was a response to revelations on Sunday that an attack had targeted users of the Tor Browser. According to the advisory, the attack exploited a Firefox JavaScript vulnerability that has already been resolved. The vulnerability is a cross-platform threat, but the exploit in this case was Windows-specific. Tor Browser Bundle users on Linux, OS X, and LiveCD systems like Tails were never at risk of exploit.

The advisory lays out a list of actions users should take to protect themselves and their anonymity in the future, concluding with the Tor Project’s Roger Dingledine writing:

“Really, switching away from Windows is probably a good security move for many reasons.”

Users are also advised to make sure they are running a recent enough version of the Tor Browser. The vulnerability itself was fixed in Firefox 17.0.7, which means that Tor versions 2.3.25-10, 2.4.15-alpha-1, 2.4.15-beta-1, and 3.0alpha2 are all safe. Users are also urged to stay updated moving forward because this isn’t the first Firefox vulnerability and it won’t be the last. Beyond that, there are other vectors for potential attack, including JavaScript, css, svg, xml, the renderer, and more. It may also be a good idea to just disable JavaScript altogether, Dingledine writes.

“We need help improving usability of (and doing more security analysis of) better sandboxing approaches as well as VM-based approaches like Whonix and WiNoN,” Dingledine writes. “Please help!”

Auto-update is not yet supported on the Tor Browser, so users are responsible for updating themselves. The Electronic Frontier Foundation published a guide that walks users through the process.

The Tor Browser, per the Electronic Frontier Foundation’s explanation, is a modified version of the Mozilla Firefox browser that gives users the ability to browse anonymously through Tor without having to do any real configuration. Because the Tor Browser is based largely on Mozilla code, it is often affected by Mozilla vulnerabilities.

Regarding the attack itself, the Tor Project said, “We don’t currently believe that the attack modifies anything on the victim computer.”

However, the vulnerability enabled arbitrary code execution. An attacker could potentially take over a victim’s machine. In reality, the attack appears to have collected hostnames and MAC addresses from victim-machines, which the attacker then sent to a remote server over a non-Tor connection, before crashing those machines. The attack seems to have been injected into Tor hidden services, effectively meaning that the attacker may have a list of users that visited those hidden services.

 

Categories: Vulnerabilities, Web Security

Comments (21)

  1. JustWonderin
    1

    Windows-based attacks are the most prevalent because Windows is the most widely used OS. Change that and the attacks change to match (look at Mac over the last 3 years). Short-sighted recommendation with little to no chance of adoption. Better to think things through and analyze every option and its ramifications, then recommend based on complete information.

  2. Janet
    2

    I have several times experienced behaviors from JavaScript that I couldn’t tolerate and deleted them. And then I find that I am unable to access some important things without Java and download it again. I would like to hear what systems would be recommended for a person to have in operation if not interested in being a computer whiz. I want to keep in touch with people, be able to access news of interest in a wide range area. Be able to organize and keep track of personal things, etc.

  3. Paul T. Lambert
    3

    What does this have to do with Windows, other than its status as the most popular and thus the most targeted OS? It was a Firefox vulnerability. Encouragements to switch away from Windows demonstrate either painful ignorance or existing prejudice against that OS.

  4. Barrywasamanalone
    4

    Hey, Why don’t the people that can write code (as I cannot) write a new operating system that is protected from the governments and the douche bags that try to hack and jack us. Why I ask this once and once only , do you all believe that just a couple of programs should and could run the world. I ‘ve known and felt this way since I was 7-8 yrs old. By the way adults don’t screw over each other. So that is very clear, as any other person that does immoral things like try to steal from you or commit crimes then they are found out and ousted to the area people or community. So ,do we get busy ? How can I help to motivate you>

  5. Josh C
    5

    Why is Tor running on a browser base that is almost 10 versions behind? Other than newly added features, lots of security updates are added to Firefox in each new update. If the problem was with a vulnerability in Firefox 17 AND the vulnerability WAS a potential risk to other OSes, then moving from Windows is not a viable solution. This just looks like a way to try make Windows a scapegoat.

  6. David A. Lessnau
    6

    “In a critical security advisory issued over the weekend, the Tor Project told its users that they should seriously consider migrating away from Microsoft’s Windows operating system and disabling JavaScript.”

    Sure. And perhaps Tor should also suggest that while they’re at it, their users should learn how to breath vacuum, too. And, I suppose for perfect security, they could browse the web with their computers off.

  7. Bob
    7

    why does my laptop at times sound like an national
    Broadcast Emergency it not only happen to me it also
    happen to my friend with both have Comcast ; his laptop is Dell running Win 7 and my a FUJITSU up grade to Win 8

  8. Bob
    8

    I forgot to say my friend volume was off at the time
    mine was set to have ,he look up these sound alarm
    and most say our memory is going bad or we a using XT ; give me a break as stated in my previous comments win 7 (for him) and an upgrade from Win 7 to win 8) is this a NSA screw up ????????????????

  9. Mistermaker
    11

    It seems to me like tor are trying to look to windows to blame for this vulnerability, however obviously with the lack of attention from the tor end into looking at this they would realize that its a Mozilla Firefox/version fault NOT the windows O.S.’s fault, like some body said earlier “ITS LIKE THEY ARE TRYING TO MAKE WINDOWS A SCAPEGOAT”
    just my 50p’s worth on the matter,
    Also it is a cross platform vulnerability, meaning that it can target a fair few other platform’s and or O.S’s
    Thank You…

  10. Wouter
    12

    Windows is insecure by design. Microsoft only started caring for it after businesses started moving away from it because of that.

  11. Dr. Hilliard Haliard
    13

    Unix/C are even less secure by design. Remember gets() and the Morris worm? What OS/language designer in his right mind would allow something like that on his system?

      • Dr. Hilliard Haliard
        15

        Generally, the earlier the software was designed, the less secure it is, mainly because virtually no programmer anticipated today’s massively interconnected, always-on world. Unix predates Windows by a good decade or two, and the earliest high-profile exploits like the Morris worm were all on Unix. It’s mostly a matter of timing, not competence or incompetence of the OS designers.

  12. anon
    16

    > Why is Tor running on a browser base that is almost 10 versions behind?

    They are using Firefox Extended Support Release. Its legit.

    And if you pay attention, their latest version was not affected by this vulnerability. Only people ignoring the update notification were. Hence “Tor security advisory: OLD Tor Browser Bundles vulnerable”

  13. Itproman
    17

    The problem is that most computer users are so dumbed down(by design[social engineeering])that they’re just programmed to do : Windows Updates,have AV Software and Firewall installed…do more updates,thinking that is enough,not knowing,or even being too lazy minded to find out more.

    If they did,they would discover that MS Windows is inherently insecure by design,meaning all program installations access the registry,which is its main design AND security flaw,because any Internet Program can get access to it(if it can bypass the security system -and some can!),plus the Registry is the main culprit in computer slowdowns(yes,you can clean it,but,you can only do so much)….and there are other flaws.It’s really a standalone pc system.

    Search : “Windows 8 is dangerous.”

    btw: All Windows(it is purported)have had an NSA backdoor since Windows 95 and all versions since Windows 2000 have had “call home technology”,meaning people are being programmed to become MORE MS dependent and more “dumbed down”!

    Unix was a multiuser,multitasking system by design from the beginning.Only root has complete access and in some versions,root is disabled and the user(if he/she is in the admin group)must ‘sudo’ in,do whatever,then exit,but,they’re using the system,on the whole as a limited user.If they install programs(or root does and they’re given access),the config files are hidden files in their home directory and all versions of unix use an iptables firewall,by default and,hopefully,all unnecessary services have been turned off.

    Big difference!

  14. Itproman
    18

    In addition,I might add that for years Microsoft has been dictating to computer manufacturers “we’ll give you a cheap deal if you put our OS on your computers,BUT,if you put any other OS on there,your sweet contract is over!”

    For years MS has been forcing the hardware vendors to play their tune.

    Is it really about smart cooperation,or is it more like the bully in schoolyard?

    Now,with UEFI Boot and this new BIOS ,they’re making it so the hardware won’t support installing another OS(meaning: Linux,FreeBSD,PC-BSD,etc)…

    It’s high time we all started supporting open source manufacturers and open source Operating Systems and STOP PAYING THE BULLY and GET FREE OF THE STRANGLEHOLD!

    • Dr. Hilliard Haliard
      19

      Newsflash: We’re well past the days of Microsoft as a “monopoly” that could dictate what hardware makers installed. Remember when the government sued the company and threatened to break it up into “baby Bills?” Well, that didn’t happen, but Microsoft still must abide by a wide-reaching settlement that changed its business practices rather fundamentally. I would recommend catching up on recent industry news and trends — oh, say within the last decade or so.

  15. jon brown
    20

    @ the DR :-/
    “Newsflash: We’re well past the days of Microsoft as a “monopoly” that could dictate what hardware makers installed. I would recommend catching up on recent industry news and trends — oh, say within the last decade or so.”
    What are you smoking?
    “Now,with UEFI Boot and this new BIOS ,they’re making it so the hardware won’t support installing another OS(meaning: Linux,FreeBSD,PC-BSD,etc)…”
    I think it is you who are a bit behind. not to mention a blind MS fanboi or just a ignorant troll. Your comment at the top could not be more wrong!! Many of us want a PC and don’t want anything do do with Windows and we are getting shafted. MS is a software manufacturer so why should they be dictating what hardware I can purchase as a *nix user.

  16. josh barnes
    21

    @ the DR :-/
    ” I would recommend catching up on recent industry news and trends — oh, say within the last decade or so.”
    Please take your own advice. With each post you are making more and more of a fool of yourself and further degrading that “Dr.” title you feel the need to include like it means something otherthan the fact that you most likely spent a great deal of time in one of the most close minded, out of touch and hypocritalc groups that exist in ameriKa today. Academia is filled with “educators” with extreme bias that they feel no problem bringing to the classroom and essentially brainwashing what could be an intelligent group of individuals but will only end up as an “Educated, knowledgedabel groupe without the ability to think objectivly or look at more than one side of a story. It is sad and more common than not especially in schools like Brown, Berkely, and the like. Knowledge and education are very very different than inteligence. In the current system these highly educated individuals have no ablility to debate. They can only regurgitate what they have been indoctrinated with from grade school through all levels of higher education at many/most “elite” Universities in the US and the EU(mostly the UK).
    You’re entitled to your(?? are they really??) views and interpretations but some inteligent reasoning would be nice.

    So, if you were not previously familiar with MS’s latest successfull extorsion of HW manufactures here it is in a nut-shell.

    >”Now,with UEFI Boot and this new BIOS ,they’re making it so >the hardware won’t support installing another OS…”

    …this to me is the worst yet! They know Windows is the most pathetic OS ever created and can’t compete w/open source OS’s so they now want to make it close or totally impossible for less tech savy users to install their PREFERED OS on hardware that THEY OWN!!!!! What don’t you get?? As one of those users who needs a new computer I don’t know what to do as my attempts to install my prefered OS(good or bad it doesn’t matter) will most likely void my warrenty so my solution is to pay close to double for one of the few companies that sell pre-installed Linux computers to individuals(as opposed to business’s)
    Please get a clue if you want to comment of this topic.

Comments are closed.