In a critical security advisory issued over the weekend, the Tor Project told its users that they should seriously consider migrating away from Microsoft’s Windows operating system and disabling JavaScript.
The Tor Project security advisory was a response to revelations on Sunday that an attack had targeted users of the Tor Browser. According to the advisory, the attack exploited a Firefox JavaScript vulnerability that has already been resolved. The vulnerability is a cross-platform threat, but the exploit in this case was Windows-specific. Tor Browser Bundle users on Linux, OS X, and LiveCD systems like Tails were never at risk of exploit.
The advisory lays out a list of actions users should take to protect themselves and their anonymity in the future, concluding with the Tor Project’s Roger Dingledine writing:
“Really, switching away from Windows is probably a good security move for many reasons.”
Users are also advised to make sure they are running a recent enough version of the Tor Browser. The vulnerability itself was fixed in Firefox 17.0.7, which means that Tor versions 2.3.25-10, 2.4.15-alpha-1, 2.4.15-beta-1, and 3.0alpha2 are all safe. Users are also urged to stay updated moving forward because this isn’t the first Firefox vulnerability and it won’t be the last. Beyond that, there are other vectors for potential attack, including JavaScript, css, svg, xml, the renderer, and more. It may also be a good idea to just disable JavaScript altogether, Dingledine writes.
“We need help improving usability of (and doing more security analysis of) better sandboxing approaches as well as VM-based approaches like Whonix and WiNoN,” Dingledine writes. “Please help!”
Auto-update is not yet supported on the Tor Browser, so users are responsible for updating themselves. The Electronic Frontier Foundation published a guide that walks users through the process.
The Tor Browser, per the Electronic Frontier Foundation’s explanation, is a modified version of the Mozilla Firefox browser that gives users the ability to browse anonymously through Tor without having to do any real configuration. Because the Tor Browser is based largely on Mozilla code, it is often affected by Mozilla vulnerabilities.
Regarding the attack itself, the Tor Project said, “We don’t currently believe that the attack modifies anything on the victim computer.”
However, the vulnerability enabled arbitrary code execution. An attacker could potentially take over a victim’s machine. In reality, the attack appears to have collected hostnames and MAC addresses from victim-machines, which the attacker then sent to a remote server over a non-Tor connection, before crashing those machines. The attack seems to have been injected into Tor hidden services, effectively meaning that the attacker may have a list of users that visited those hidden services.