Update The Tor Project has provided a browser update that patches a zero-day vulnerability being exploited in the wild to de-anonymize Tor users.
“The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well,” the Tor Project said in its announcement. “Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.”
The Tor Project said the update released late Wednesday included an “important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2).” NoScript for Firefox is an open-source add-on that pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.
Word of the exploit was first posted to a Tor mailing list late Tuesday with the warning “This is an JavaScript exploit actively used against TorBrowser NOW.”
Early Wednesday, Tor cofounder Roger Dingledine confirmed the reports and said the Mozilla Foundation was working to patch the vulnerability. The Tor Browser is partially built on open source Firefox code, but also includes proxy code that encrypts and anonymizes users’ sessions as they move about the Internet.
Prior to the availability of a patch, the Tor Project said that users could either disable JavaScript, or set their security slider to “High” as a mitigation.
The flaw, security experts point out, is nearly identical to a zero-day vulnerability used by the FBI in 2013 as part of the agency’s efforts to identify Tor users sharing child pornography. According to an email from the Tor Project, the flaw is in Firefox’s SVG animation feature, and both SVG and JavaScript must be enabled for the exploit to be effective.
Technical details pertaining to the zero-day were initially scant and limited to a post to the Tor mailing list site with the short description:
“It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to ‘VirtualAlloc’ in ‘kernel32.dll’ and goes from there. Please fix ASAP.”
A security researcher by the Twitter handle @TheWack0lian posted a comparison of 2013 shellcode used by the FBI to the 2016 shellcode.
The shellcode used is almost exactly the shellcode of the 2013 one https://t.co/6vuIzqp0rj
…except it builds sockaddr_in on the stack. https://t.co/pWsUe4uHiZ
— slipstream/RoL (@TheWack0lian) November 29, 2016
Dan Guido, security researcher and CEO of Trail of Bits, chimed in on Twitter Wednesday saying that “the vulnerability is also present on macOS, but the exploit does not include support for targeting any operating system but Windows.”
The vulnerability is present on macOS, but the exploit does not include support for targeting any operating system but Windows.
— Dan Guido (@dguido) November 30, 2016
The TorBrowser vulnerability revelation Tuesday dredges up issues surrounding the government’s stockpiling and use of zero day exploits. In April, FBI Director James Comey revealed the agency paid an undisclosed third-party over a $1 million for a hacking tool that opened the iPhone 5c of the San Bernardino terrorist Syed Farook. In May, Mozilla filed a motion with the U.S. District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox in the 2013 case.
The FBI did not return inquiries for comment for this story.
https://twitter.com/csoghoian/status/803749223426650112
Chris Soghoian, principal technologist with the American Civil Liberties Union, noted in a tweet that the zero-day malware discovered in the Tor on Wednesday is calling home to a French IP address, adding “I’d be surprised to see a US federal judge authorize that.”
This story will be updated as more information becomes available.
This story was updated at 5pm ET to reflect a fix for the security vulnerability issued by the Tor Project late Wednesday along with additional technical details provided in the organization’s blog post.