Exploit Vendor Drops Tor Browser Zero-Day on Twitter

An anonymous reader writes: Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. The vulnerability is a bypass of the NoScript extension that's included by default with all Tor Browser distributions. Once bypassed, an attacker can run malicious code inside the Tor Browser, code that under certain circumstances would have been stopped by NoScript.

"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers," Zerodium CEO Chaouki Bekrar told ZDNet in an interview. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week." The NoScript extension released a patch in record time today to fix the vulnerability, two hours after Zerodium dropped its code on Twitter.

Rule One

Rule one of Tor: disable javascript in about:config.

Untrue per what I read... apk

"As Zerodium notes in its disclosure, the vulnerability is active even when the user is running the browser with NoScript, a Javascript-blocking extension that is included with the Tor browser (but is not set to active by default). " SOURCE https://www.theregister.co.uk/...

* So, you're incorrect... the FOOLS never turned it on in the 1st place! THIS GOES FOR "TOR" ITSELF actually, NOT so much for "Zerodium" WHO SHOULD HAVE SEEN THAT THOUGH IN THEIR MODEL OF IT!

APK

P.S.=> Don't worry, I was too INITIALLY (VERY misleading headlines ARE out there on it) UNTIL I read that part I quoted above... apk

"Posts" not "drops"

[jabberw0k]

The link was posted (added), not dropped (removed).

Re:Yay, NoScript!

[Giorgio+Maone]

The NoScript dev -- not "devs" ;) -- here.

Thank you for your commentary, which is quite to the point except for two details which I'd like to set straight:

• The existence of this vulnerability, let alone its nature, has never been disclosed neither to me or the Tor Browser team. The very first hint I had about it has been this tweet by the ZDNet reporter, sent about one later than Zerodium's one, and noticed even later.
• Based exclusively on that Zerodium's tweet (not a proper bug report, just a innuendo without even a link to a live PoC), the "NoScript team" (just me, actually) scrambled to create a reproducible test-case, dig in NoScript 5 "Classic"'s code base which had not been touched for months*, find the bug, fix it, test the patch, package two new versions (one for the beta autoupdate channel, one for the stable one) and deploy them both in quite less than one hour, real-time while been interviewed by the journalist. In the old days, when I had my own garage bands, our typical rehearsals were much longer -- and pleasant ;)

* NoScript 10 "Quantum" has been the main branch and the only I focused on since December 2017: it's a complete rewrite and was born unaffected by this bug. NoScript 5 has been kept around so far for the Tor Browser and the others based on Firefox ESR 52, like Palemoon.

I'd like also to add that NoScript 10's code is much simpler, leaner and easier to understand / maintain, and has got a lot more "friendly" eyeballs reviewing it for possible flaws. Therefore I'm quite confident something like this wouldn't go unnoticed that easily. Anyway, I vow to keep fixing whatever security bug is found (either cooperatively or in a hostile and disturbing way, like in this case) as fast as humanly possible, and even a bit faster, like I always did :)