Zerodium, an exploit vendor that buys and sells exploits for software, has announced on Twitter that Tor 7.x isn’t safe and that a bug can bypass a user’s security level choice, effectively allowing all browsers to be affected by JavaScript exploits. Apparently, the exploit only affects Tor 7.x but the latest Tor 8.0 release is unaffected, therefore you should update immediately.
Several Tor-releases ago, the project decided to add a security slider in order to make browsing sessions more secure for users by disabling several features including JavaScript, the slider interacts with NoScript in order to disable things like JavaScript.
The exploit revealed by Zerodium is able to bypass the script-blocking in NoScript which causes JavaScript to run in a user’s Tor Browser installation, potentially unmasking them. The exploit no longer works with Tor Browser 8.0 because Firefox Quantum is the base. With Firefox Quantum, many browser extensions, including NoScript, had to refactor their code to continue working in the browser – the changes subsequently broke the exploit.
After being alerted to the vulnerability earlier today, the maintainer of NoScript quickly pushed an update for the Classic version of the extension in order to protect against the vulnerability.
Zerodium CEO, Chaouki Bekrar has also confirmed that the exploit was purchased by the firm many months ago as a zero-day and has been shared with government customers. The exploit has only now been shared as it has reached end-of-life and doesn’t affect the newest Tor Browser. The firm also wanted to highlight the lack, or insufficient amount, of auditing done of the major components bundled by default in the browser.
While Tor does offer more security and privacy than ordinary browsers, today’s exploit highlights that there’s still work to be done in order to protect users.
Via ZDNet