Exploit Vendor Drops Tor Browser Zero-Day on Twitter

An anonymous reader writes: Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. The vulnerability is a bypass of the NoScript extension that's included by default with all Tor Browser distributions. Once bypassed, an attacker can run malicious code inside the Tor Browser, code that under certain circumstances would have been stopped by NoScript.

"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers," Zerodium CEO Chaouki Bekrar told ZDNet in an interview. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week." The NoScript extension released a patch in record time today to fix the vulnerability, two hours after Zerodium dropped its code on Twitter.

End of life

Wait, what if we pay to keep the exploit around a while longer? Is that an option?

Re: End of life

Yes, please wire an exhorbitant amount of money every day to you-know-where

Rule One

Rule one of Tor: disable javascript in about:config.

Re:Rule One

Most of the web is now unusable without JS.

Re:Rule One

Rule two of Tor: most of the web is a privacy invading nightmare, and js is most often the means of the invasion.

Re:Rule One

Not saying you're wrong, but the reason many people use tor is to use the web. If it isn't useful for that, it's never going to get the kind of traction it needs among people "not doing anything wrong".

And if those people don't use it, all it does is paint a HUGE target on the backs of people who do... and who need it to protect themselves.

Re:Rule One

Rule three of Tor: in a world where people willing give up their privacy for supposed functionality, any attempt to actually protect your privacy will paint a huge target on your back

Re:Rule One

Most of the web I care for is usable with Javascript. As for the rest... I from time to time peek into it and am honestly glad that I manage to avoid it, mostly.

Re: Rule One

most Mail websites can run without Javascript

Re: Just to be clear

Lol. I wouldn't recommend anyone use any extension for Tor. Learn how to configure it or get burned. NOWGO2BEDFGT

Welcome to Internet 2.0

This should be sending chills down your spine:

This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers,"

What in the FUCK. Who are your "Govrernment Customers" and why are they using Tor? What else have you disclosed but not told anyone? Or would that cut into your nice profits selling snake oil?

Responsible disclosure my ass, the security industry is a joke.

Re:Welcome to Internet 2.0

[glitch!]

Who are your "Government Customers" and why are they using Tor?

They are probably the NSA and CIA. The NSA wants ways to access and extract information from anything and everything. The CIA wants that, plus, they want secure and anonymous communications for their operatives doing "fun and games", ie. killing people, running drugs, asserting force on governments, and collecting the profits.

What else have you disclosed but not told anyone? Or would that cut into your nice profits selling snake oil?

This might be their "advertising campaign" to get more awareness to their company.

Untrue per what I read... apk

"As Zerodium notes in its disclosure, the vulnerability is active even when the user is running the browser with NoScript, a Javascript-blocking extension that is included with the Tor browser (but is not set to active by default). " SOURCE https://www.theregister.co.uk/...

* So, you're incorrect... the FOOLS never turned it on in the 1st place! THIS GOES FOR "TOR" ITSELF actually, NOT so much for "Zerodium" WHO SHOULD HAVE SEEN THAT THOUGH IN THEIR MODEL OF IT!

APK

P.S.=> Don't worry, I was too INITIALLY (VERY misleading headlines ARE out there on it) UNTIL I read that part I quoted above... apk

Re: Just to be clear

NoScript extension that's included by default with all Tor Browser distributions.

Nerds: 0 Jocks: Over 9000

"Posts" not "drops"

[jabberw0k]

The link was posted (added), not dropped (removed).

Re:"Posts" not "drops"

It's file sharing lingo: drop is short for drag & drop.

Re:"Posts" not "drops"

[thegarbz]

Potatoe Potatoe. Your post is 100% correct when you're talking about SQL tables. Though speaking of tables what happens when you table a piece of legislation in the UK vs tabling a piece of legislation in the USA?

Re:"Posts" not "drops"

I found the DB admin.

Re:"Posts" not "drops"

[gustygolf]

"to drop an exploit" means "to make an exploit public", so that the exploit is now worthless (dropped) because whatever it was exploiting will be fixed.

Black hat lingo I guess.

Here's an example: https://www.zdnet.com/article/...

Ex-NSA hacker drops macOS High Sierra zero-day hours before launch

Re:"Posts" not "drops"

I dropped a deuce on your living room floor. Nerd.

Re:[offensive post removed]

[fleabay]

You're going to have to try harder to sow discontent around here with a fake deleted post and a fake account to try and make it look legit. People here are smarter than you.

Re:[offensive post removed]

[the+real+BeauHD]

Nice try, Vlad.

Re: Just to be clear

OP and Jock Rock. That's enough. They adults are talking.

The noscript HTML tag was a mistake

Why does this abomination exist?!

Yay, NoScript!

[thomst]

There've been quite a number of posts beardmuttering about a severe NoScript vulnerability for much of the past couple of weeks. The fact is that, if you use the Tor browser at all regularly, you've been seeing a notification flag about that very thing in the addons bar for the whole of that time.

What I take from this story is that, although the existence of the vulnerability had to have been disclosed to the Tor developers - and very likely to the NoScript folks, as well - just prior to the appearance of that flag, it wasn't until today that the Zerodium folks disclosed the actual code to them. Now, if you know there's some kind of vulnerability that's been discovered, but you don't know exactly what that vulnerability consists of, it's pretty fucking difficult to fix the damned thing, because, essentially, you'd have to just blindly guess at its nature and where in your code it might be hiding.

Otherwise you'd just quietly fix it, push out an update, and get on with the task of developing the next version, rather than have to expend those resources on more bughunting. So, to me, the fact that the NoScript team produced a fix in two hours from the time Zerodium released the exploit code is a tribute to their commitment to protecting their users.

It also tells me that the fix itself must have been relatively trivial - which in no way diminishes my admiration for the devs who coded it, tested it, integrated it into the addon, and got it out the door in the duration of a typical garage band rehearsal.

So, good job, guys!

What does give me pause is Zerodium's casual disclosure that they had already thoroughly saturated their market for that exploit, and concluded that they couldn't squeeze another dollar out of the black hat sector (having previously sold it to every nation-state in the intelligence world - or, rather, every one in the market for zero-days). At a guess, that means they've been actively hawking it for not less than six months or so.

And that is a Very Bad Thing, indeed ...

Re:Yay, NoScript!

[Raenex]

And that is a Very Bad Thing, indeed ...

It's pretty cool in a dystopian, cyberpunk way, though.

Re:Yay, NoScript!

[Kjella]

Seriously, yay Noscript? Their one reason to exist is to block Javascript. Their "safest" mode is often used as a substitute for turning it off completely since Noscript has an easy GUI to allow some scripts to run, which means they basically compromised a simple on/off switch. It's the kind of total meltdown that makes me wonder if this is a NSA plant or if they're totally incompetent or were drunk during code reviews, if they have any. Sorry but this is a massive black mark that says that all the tin foil hatters who disabled it in about:config to make sure it was really, really off were absolutely right. Noscript CAN NOT BE TRUSTED.

Re:Yay, NoScript!

[Giorgio+Maone]

The NoScript dev -- not "devs" ;) -- here.

Thank you for your commentary, which is quite to the point except for two details which I'd like to set straight:

• The existence of this vulnerability, let alone its nature, has never been disclosed neither to me or the Tor Browser team. The very first hint I had about it has been this tweet by the ZDNet reporter, sent about one later than Zerodium's one, and noticed even later.
• Based exclusively on that Zerodium's tweet (not a proper bug report, just a innuendo without even a link to a live PoC), the "NoScript team" (just me, actually) scrambled to create a reproducible test-case, dig in NoScript 5 "Classic"'s code base which had not been touched for months*, find the bug, fix it, test the patch, package two new versions (one for the beta autoupdate channel, one for the stable one) and deploy them both in quite less than one hour, real-time while been interviewed by the journalist. In the old days, when I had my own garage bands, our typical rehearsals were much longer -- and pleasant ;)

* NoScript 10 "Quantum" has been the main branch and the only I focused on since December 2017: it's a complete rewrite and was born unaffected by this bug. NoScript 5 has been kept around so far for the Tor Browser and the others based on Firefox ESR 52, like Palemoon.

I'd like also to add that NoScript 10's code is much simpler, leaner and easier to understand / maintain, and has got a lot more "friendly" eyeballs reviewing it for possible flaws. Therefore I'm quite confident something like this wouldn't go unnoticed that easily. Anyway, I vow to keep fixing whatever security bug is found (either cooperatively or in a hostile and disturbing way, like in this case) as fast as humanly possible, and even a bit faster, like I always did :)

Re:Yay, NoScript!

[SumDog]

It's rare to see the dev of a tool respond here on Slashdot. That's more typical on Hackernews. Seriously this place is a cesspit. :-P

But good on you, and thanks for clearing this up too. People don't get enough appreciation for this kind of work, especially porting your plugin to WebExtensions .. something that has been really challenging to quite a few plugin authors.

Thank you for your candour and information and setting the record straight.

Re:Yay, NoScript!

>I'd like also to add that NoScript 10's code [github.com] is much simpler, leaner and easier to understand / maintain, and has got a lot more "friendly" eyeballs reviewing it for possible flaws.

Do you plan on adding features to NS10 which were lost between the old version and NS10? One of the big reasons I stayed with the old NS version along with FF ESR was the degree of usefulness I had with it.

Re: Yay, NoScript!

Hey, this gives me a chance to say it! Thank you for your work. Really appreciated.

Signed, a Palemoon user.

Re:Yay, NoScript!

NoScript 5 has been kept around so far for the Tor Browser and the others based on Firefox ESR 52, like Palemoon.

Speaking as a pale moon and noscript user, I thank you for not abandoning us!

Re:Yay, NoScript!

NoScript is open source, there's nothing that makes a program more "trustworthy" than having the ability to review the source code. Obviously, by reading your idiotic posts, I guess that's not something you would be able to do.

Re:Yay, NoScript!

Thank you!

Re:Yay, NoScript!

[thomst]

Giorgio Maone responded to my post thusly:

The NoScript dev -- not "devs" ;) -- here.

Thank you for your commentary, which is quite to the point except for two details which I'd like to set straight:

• The existence of this vulnerability, let alone its nature, has never been disclosed neither to me or the Tor Browser team. The very first hint I had about it has been this tweet by the ZDNet reporter, sent about one later than Zerodium's one, and noticed even later.
• Based exclusively on that Zerodium's tweet (not a proper bug report, just a innuendo without even a link to a live PoC), the "NoScript team" (just me, actually) scrambled to create a reproducible test-case, dig in NoScript 5 "Classic"'s code base which had not been touched for months*, find the bug, fix it, test the patch, package two new versions (one for the beta autoupdate channel, one for the stable one) and deploy them both in quite less than one hour, real-time while been interviewed by the journalist. In the old days, when I had my own garage bands, our typical rehearsals were much longer -- and pleasant ;)

Thank you for your detailed corrections to my (largely guesswork-based) post. I couldn't ask for a more credible source for them!

(I'm more impressed by your patch-fu now than I was in the first place, btw.)

While I have your attention, I also want to thank you for what you do for us FF users. Without NoScript, I wouldn't feel safe browsing the modern web with anything short of a completely air-gapped PC that had a browser, an OS, and basically nothing else of value installed, so I could take it down to bare metal and reinstall them both, whenever it got infected from rogue scripts - which would likely be every couple of days ...

Re:Yay, NoScript!

They disclosed it because it's an extremely minor bug (just a NoScript bypass) that does not make Tor Browser any less secure than its default settings make it. All they wanted to do is create hype for the bug in order to advertise themselves, and they succeeded.

End of life?

Really weird when an exploit vendor says one of their exploits is reaching "end of life".

Also creepy that they are selling this to governments. I'd bet this sort of thing happens all the time from all sorts of shady companies like this.

Re:End of life?

[anti-pop-frustration]

The bigger question is: how is even legal to sell exploits?

It should be illegal, or at the very least heavily regulated.

We need to find economic and legal ways of doing things that result in better security, not simply allowing private companies to profit from making everybody less secure.

Re:End of life?

This exploit reached end of life because they already have another (to sell).

Re:End of life?

Tricky question.

On one hand it's pretty damned obvious that discreetly disseminating information like this isn't something people should be able to reap financial benefits from, on the other hand it's a freedom of speech issue. It's not like NoScript or similar software is a secret or that the code is covered by some sort of NDA. If you find a bug, you're free to discuss it with who ever you want on which terms you choose; the knowledge about the bug is yours.

All in all a pretty good example of how nice things gets abused by assholes, just like usual.

Re:End of life?

yeah, they have version 8 - 10 exploits now...no need for old crap. TOR was only good long time ago for short period of time.

Re:End of life?

Firefox ESR, which the Tor browser is using, is moving on and the extension version that worked with the exploit no longer work in the new ESR.

Re:End of life?

The legality of selling something many times has less to do with what you're selling and more to do with who your customers are.

Re:End of life?

[bill_mcgonigle]

Legal? They said they sold it to government customers. Probably the DEA to unmask darknet market participants.

Who do you think it going to make it illegal, that same government that benefits?

Re:End of life?

vulnerabilities convince people to update and make everyone more secure

Re:End of life?

The ability to charge for information is not rationally considered a "free speech" issue.

In fact, if you really wanted to advance freedom of speech, you'd make all NDAs unenforceable, including the ones with your "internal" staff.

Wut

Confusing article if its disabled in about:config everything's fine.

Whitelisting vs blacklisting....

[complete+loony]

Why does the TOR browser even have a javascript engine?

Re:Whitelisting vs blacklisting....

Because the internet voted to require Javascript for basic operation of the overwhelming number of web sites.

Re:Whitelisting vs blacklisting....

>Why does the TOR browser even have a javascript engine?

IDK, you would think the funding they receive from the USG would allow for them to....nevermind.

Re:[offensive post removed]

Well that was cringe

Not that serious

[LubosD]

Security-aware Tor users disable JS completely in about:config instead of using extensions.

FBI exploit?

[jonwil]

I wonder if this is the exploit the FBI were using a while back (the one where they decided to let a scumbag pedophile off the hook rather than reveal how they were able to catch the guy) or if its a different exploit and the FBI one is still a problem...

Fuck Javascript!

Hey, Mozilla!

Your stupid pushing for "every gullet out there *gotta* have guaranteed Javascript" is now costing human lives. How great is that?

I want my Javascript switch back: when I say "off" it should mean "off", no Rube Goldberg plugins for that, which "enable sometimes" and "sometimes perhaps", with all security nightmares this encompasses. Off means off.

And if telemetry tells you people out there are too damn stupid to switch it back on, then it's *because you are making them stupid*. Notice?

Re:Fuck Javascript!

I want my Javascript switch back: when I say "off" it should mean "off", no Rube Goldberg plugins for that, which "enable sometimes" and "sometimes perhaps", with all security nightmares this encompasses. Off means off.

Good news! It's still in about:config!

should be more worried

I use Tor every other day for recreational drugs and it allows the confidence to experiment in my own home. On the one hand having these zero days kept away from the end user on purpose is a horrible thing to do, on the other it turns out through experience that whatever I do the authorities really don't care. Don't touch kids, don't be a terrorist... that's fine with me.

Re: Just to be clear

Stop your getting APK all hot and bothered

firefox plugin api

[sad_]

interesting to read that this exploit only worked for the old plugin api on firefox.
remember that a lot of people were upset about the change in the api as a lot of plugins wouldn't work anymore unless rewritten.
mozilla at the time did state that the api was a bit messy and insecure.
clearly they were correct to rewrite this api, as we can see now.

APK is just mad that he gets destroyed

APK is just mad that he lives in a dumpy duplex his mother left him when she fled back poland to live out her dream of a retirement free of her retarded man child of a son. He still needs a roommate at age 54 so that he can afford to pay the bills and eat. What he learned today is the ls command, just wait until he learns there are useful options that can be passed to it as he will be blown away. Eventually he will learn that being able to ping as a non root user isn't special.

bypasses a *legacy* NoScript

[DrYak]

From the mouth (well keyboard) of the NoScript dev himself, this is a bug which affects the old NoScript version 5, the XUL extension that is still used in a few old browsers still based on the Firefox 52 ESR (like Tor Browser).

The NoScript version 10, the Web Extension that works in more recent version of Firefox (they switched to Web Extensions exclusively since Firefox version 57), isn't affected.
Thus the current version of TorBrowser, version 8, which is based on FireFox ESR 60, is running an unaffected NoScript version. (Even the /. summary mentions this point).
Your current vanilla Firefox 62 / Firefox Android 62 isn't affected either.

Thank you

[DrYak]

The NoScript dev -- not "devs" ;) -- here.

Thank you, sir, for your work. You're making one of my most favorite extension ever
(The other being gorhill's uBlock Origin).

Why don't you say WHO you are?

My Mother left me nothing & in fact? I literally requested she write me out of her will (my Sis did the same) & she did. We asked she leave our nieces/nephews/children everything,

* You just can't stop lying, can you, loser OR see subject: Why are you HIDING from me? Got something to HIDE?? Yes.

APK

P.S.=> JEALOUS "Lil' Jowie" you pitiful DO-NOTHING "ne'er-do-well" who STALKS me by UNIDENTIFIABLE anonymous posts? You have SERIOUS mental issues (as well as being a HORRIBLE liar)... apk

Re:Why don't you say WHO you are?

wot no rantply?

Who watches the watchmen enablers?

[Impy+the+Impiuos+Imp]

"Who are your government customers?"

If any are dictatorships, you should be thrown in jail.

Cool! I worked on this.

We also have quite a few new 0d's (yes, remote priv-esc) in the Linux kernel attained via many common services. Fully patched distributions are still failing to stop them too. This is a really exciting time to be in this business.

Three letters

You know which three letters

Are you Dan Quayle?

Its actually "potato".

[Edit : captcha - tomato]

Something amiss?

You seem to be losing it. Have you sought professional help recently?

Re:Cool! I worked on this.

Kill yourself, my man.