Update The Tor Project has provided a browser update that patches a zero-day vulnerability being exploited in the wild to de-anonymize Tor users.
“The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well,” the Tor Project said in its announcement. “Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.”
Early Wednesday, Tor cofounder Roger Dingledine confirmed the reports and said the Mozilla Foundation was working to patch the vulnerability. The Tor Browser is partially built on open source Firefox code, but also includes proxy code that encrypts and anonymizes users’ sessions as they move about the Internet.
Technical details pertaining to the zero-day were initially scant and limited to a post to the Tor mailing list site with the short description:
“It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to ‘VirtualAlloc’ in ‘kernel32.dll’ and goes from there. Please fix ASAP.”
A security researcher by the Twitter handle @TheWack0lian posted a comparison of 2013 shellcode used by the FBI to the 2016 shellcode.
The shellcode used is almost exactly the shellcode of the 2013 one https://t.co/6vuIzqp0rj
…except it builds sockaddr_in on the stack. https://t.co/pWsUe4uHiZ
— slipstream/RoL (@TheWack0lian) November 29, 2016
Dan Guido, security researcher and CEO of Trail of Bits, chimed in on Twitter Wednesday saying that “the vulnerability is also present on macOS, but the exploit does not include support for targeting any operating system but Windows.”
The vulnerability is present on macOS, but the exploit does not include support for targeting any operating system but Windows.
— Dan Guido (@dguido) November 30, 2016
The TorBrowser vulnerability revelation Tuesday dredges up issues surrounding the government’s stockpiling and use of zero day exploits. In April, FBI Director James Comey revealed the agency paid an undisclosed third-party over a $1 million for a hacking tool that opened the iPhone 5c of the San Bernardino terrorist Syed Farook. In May, Mozilla filed a motion with the U.S. District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox in the 2013 case.
The FBI did not return inquiries for comment for this story.
The Tor malware calling home to a French IP address is puzzling though. I'd be surprised to see a US federal judge authorize that. https://t.co/FiOPwRj0C7
— Christopher Soghoian (@csoghoian) November 29, 2016
Chris Soghoian, principal technologist with the American Civil Liberties Union, noted in a tweet that the zero-day malware discovered in the Tor on Wednesday is calling home to a French IP address, adding “I’d be surprised to see a US federal judge authorize that.”
This story will be updated as more information becomes available.
This story was updated at 5pm ET to reflect a fix for the security vulnerability issued by the Tor Project late Wednesday along with additional technical details provided in the organization’s blog post.