Exploit Vendor Drops Tor Browser Zero-Day on Twitter

An anonymous reader writes: Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. The vulnerability is a bypass of the NoScript extension that's included by default with all Tor Browser distributions. Once bypassed, an attacker can run malicious code inside the Tor Browser, code that under certain circumstances would have been stopped by NoScript.

"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers," Zerodium CEO Chaouki Bekrar told ZDNet in an interview. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week." The NoScript extension released a patch in record time today to fix the vulnerability, two hours after Zerodium dropped its code on Twitter.

Yay, NoScript!

[thomst]

There've been quite a number of posts beardmuttering about a severe NoScript vulnerability for much of the past couple of weeks. The fact is that, if you use the Tor browser at all regularly, you've been seeing a notification flag about that very thing in the addons bar for the whole of that time.

What I take from this story is that, although the existence of the vulnerability had to have been disclosed to the Tor developers - and very likely to the NoScript folks, as well - just prior to the appearance of that flag, it wasn't until today that the Zerodium folks disclosed the actual code to them. Now, if you know there's some kind of vulnerability that's been discovered, but you don't know exactly what that vulnerability consists of, it's pretty fucking difficult to fix the damned thing, because, essentially, you'd have to just blindly guess at its nature and where in your code it might be hiding.

Otherwise you'd just quietly fix it, push out an update, and get on with the task of developing the next version, rather than have to expend those resources on more bughunting. So, to me, the fact that the NoScript team produced a fix in two hours from the time Zerodium released the exploit code is a tribute to their commitment to protecting their users.

It also tells me that the fix itself must have been relatively trivial - which in no way diminishes my admiration for the devs who coded it, tested it, integrated it into the addon, and got it out the door in the duration of a typical garage band rehearsal.

So, good job, guys!

What does give me pause is Zerodium's casual disclosure that they had already thoroughly saturated their market for that exploit, and concluded that they couldn't squeeze another dollar out of the black hat sector (having previously sold it to every nation-state in the intelligence world - or, rather, every one in the market for zero-days). At a guess, that means they've been actively hawking it for not less than six months or so.

And that is a Very Bad Thing, indeed ...

End of life?

Really weird when an exploit vendor says one of their exploits is reaching "end of life".

Also creepy that they are selling this to governments. I'd bet this sort of thing happens all the time from all sorts of shady companies like this.

Re:End of life?

[anti-pop-frustration]

The bigger question is: how is even legal to sell exploits?

It should be illegal, or at the very least heavily regulated.

We need to find economic and legal ways of doing things that result in better security, not simply allowing private companies to profit from making everybody less secure.

Re:Rule One

Not saying you're wrong, but the reason many people use tor is to use the web. If it isn't useful for that, it's never going to get the kind of traction it needs among people "not doing anything wrong".

And if those people don't use it, all it does is paint a HUGE target on the backs of people who do... and who need it to protect themselves.