The advisory lays out a list of actions users should take to protect themselves and their anonymity in the future, concluding with the Tor Project’s Roger Dingledine writing:
“Really, switching away from Windows is probably a good security move for many reasons.”
“We need help improving usability of (and doing more security analysis of) better sandboxing approaches as well as VM-based approaches like Whonix and WiNoN,” Dingledine writes. “Please help!”
Auto-update is not yet supported on the Tor Browser, so users are responsible for updating themselves. The Electronic Frontier Foundation published a guide that walks users through the process.
The Tor Browser, per the Electronic Frontier Foundation’s explanation, is a modified version of the Mozilla Firefox browser that gives users the ability to browse anonymously through Tor without having to do any real configuration. Because the Tor Browser is based largely on Mozilla code, it is often affected by Mozilla vulnerabilities.
Regarding the attack itself, the Tor Project said, “We don’t currently believe that the attack modifies anything on the victim computer.”
However, the vulnerability enabled arbitrary code execution. An attacker could potentially take over a victim’s machine. In reality, the attack appears to have collected hostnames and MAC addresses from victim-machines, which the attacker then sent to a remote server over a non-Tor connection, before crashing those machines. The attack seems to have been injected into Tor hidden services, effectively meaning that the attacker may have a list of users that visited those hidden services.