[tor-talk] Tor security advisory: Old Tor Browser Bundles vulnerable
arma at mit.edu
Mon Aug 5 15:13:12 UTC 2013
This is a critical security announcement.
has been observed in the wild. Specifically, Windows users using the
Tor Browser Bundle (which includes Firefox plus privacy patches )
appear to have been targeted.
This vulnerability was fixed in Firefox 17.0.7 ESR . The following
versions of the Tor Browser Bundle include this fixed version:
2.3.25-10 (released June 26 2013) 
2.4.15-alpha-1 (released June 26 2013) 
2.4.15-beta-1 (released July 8 2013) 
3.0alpha2 (released June 30 2013) 
Tor Browser Bundle users should ensure they're running a recent enough
bundle version, and consider taking further security precautions as
WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: )
To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer. However, the
observed version of the attack appears to collect the hostname and MAC
address of the victim computer, send that to a remote webserver over
a non-Tor connection, and then crash or exit . The attack appears
to have been injected into (or by) various Tor hidden services ,
and it's reasonable to conclude that the attacker now has a list of
vulnerable Tor users who visited those hidden services.
We don't currently believe that the attack modifies anything on the
WHAT TO DO:
First, be sure you're running a recent enough Tor Browser Bundle. That
should keep you safe from this attack.
Second, be sure to keep up-to-date in the future. Tor Browser Bundle
automatically checks whether it's out of date, and notifies you on its
homepage when you need to upgrade. Recent versions also add a flashing
exclamation point over the Tor onion icon. We also post about new
versions on the Tor blog: https://blog.torproject.org/
Third, realize that this wasn't the first Firefox vulnerability, nor
"S" beside the green onion, and select "Forbid Scripts Globally").
like you expect. A future version of Tor Browser Bundle will have an
You might also like Request Policy . And you might want to randomize
your MAC address, install various firewalls, etc.
Fourth, consider switching to a "live system" approach like Tails .
Really, switching away from Windows is probably a good security move
for many reasons.
And finally, be aware that many other vectors remain for vulnerabilities
big vectors exist, like css, svg, xml, the renderer, etc. We need
help improving usability of (and doing more security analysis of)
better sandboxing approaches  as well as VM-based approaches like
Whonix  and WiNoN . Please help!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 190 bytes
Desc: Digital signature
More information about the tor-talk