must read Amazon announces everything Alexa but the kitchen sink

Exploit vendor drops Tor Browser zero-day on Twitter

A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.

Why social media fatigue is spreading

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.

In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.

NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.

Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.

According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected.

The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API.

The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series.

Also: 7 tips for SMBs to improve data security TechRepublic

In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer.

Maone was not aware of the vulnerability before ZDNet contacted him earlier today.

After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects.

"I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet.

The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication.

In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day.

Also: Why free VPNs are not a risk worth taking

"We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet.

"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.

"We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.

Also: Best Home Security Devices for 2018 CNET

"The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.

"If a user sets his Tor browser security level to "Safest" aiming to block all JavaScript from all websites e.g. to prevent exploits, the disclosed bug would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code, making the 'Safest' security level useless against browser exploits," Bekrar added.

ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript 5.1.8.6.

UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version 5.1.8.7, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017.

UPDATE on September 11, 10:30 AM EST: A spokesperson for the Tor Project told ZDNet they were not aware of the exploit prior to being disclosed on Twitter by Zerodium.The Tor Project member confirmed what Zerodium CEO Chaouki Bekrar told ZDNet --that a second exploit would be needed for doing real damage against Tor Browser users

"It is a bug in NoScript and not a zero-day exploit of Tor Browser that circumvents its privacy protections," the Tor Project spokesperson said. "For bypassing Tor, a real browser exploit would still be needed."

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Visit ZDNET