The vulnerability in Firefox that was being used to exploit some users of Tor in recent days was fixed in a previous Firefox release and the exploit in circulation only works against people running Firefox 17. Over the weekend, word spread that the exploit was in the wild and that the Tor network itself had been compromised, however Tor officials said that was not the case and it was one specific hosting provider who hosts some Tor Hidden Services servers that had been targeted.

Tor, the anonymity network favored by activists, journalists, security researchers and others interested in remaining unidentified online, also is used by attackers and other criminals, including those peddling child pornography and other objectionable material. There are reports that the FBI has been using an exploit for the Firefox vulnerability to target people involved in the child pornography trade. The owner of Freedom Hosting, an Irish hosting company that provides some hosting for Tor Hidden Services servers, was arrested in recent days and charged with facilitating the distribution of child pornography. An Irish newspaper said that Eric Eoin Marques, a dual Irish and U.S. citizen, was being held without bail on the charges.

In the wake of the arrest and news of the existence of the Firefox exploit, fears rose that Tor itself had been compromised in a significant way and that legitimate users of the service were at risk of infection with malware. However, Tor officials said that the danger was quite limited and that there is no widespread compromise of the network. Tor Hidden Services is a set of servers that provide two-way anonymity: the user doesn’t know who is running the server and the server operator can’t identify the users. The servers can be run by anyone and there’s no central repository of Tor Hidden Services server addresses kept by the Tor Project.

“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers,” said Tor officials in a blog post on the attack.

The exploit that’s being used in the attack affects Firefox 17 ESR, an old version of the browser, which happens to be included in the Tor Browser Bundle. So users of older versions of the Tor Browser could be at risk of compromise. However, Mozilla officials said that the vulnerability being used in the attack has been fixed for more than a month, so users of current versions of Firefox are protected.

“The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53. People who are on the latest supported versions of Firefox are not at risk. Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack,” Daniel Veditz of the Mozilla security team said.


Categories: Vulnerabilities, Web Security