TorBrowser Zero-Day Exploit Undermines the Advantage of Using TOR
The TOR Project is advising that people stop using Windows after the discovery of a zero day vulnerability in Firefox that undermines the main advantages of the privacy-centered network. For those of you who aren’t aware of what TOR is, TOR (or The Onion Router) is an open source piece of software that prevents anyone from learning your location or browsing habits.
The new zero day exploit lets someone use a piece of JavaScript to collect crucial identifying information on computers visiting some websites using TOR. The JavaScript was likely planted on certain websites that the attacker wanted to see who came to visit. The script collected the hostname and MAC (Media Access Control) address of a person’s computer and sent it to a remote computer, the exact kind of data that TOR users hope to avoid revealing while surfing the Internet.
The zero day was written to target Windows computers and exploits a vulnerability in an older version of Firefox (which is what the TorBrowser is based on), though it could potentially make its way to Linux and OS X. I should note that the latest version of the TorBrowser (version 2.3.25-10) has patched the vulnerability as has any Firefox browser since version 17.0.7. So if you are using an older version of the TorBrowser — update now.
In addition to updating to the latest TorBrowser, The TOR Project also advised users to turn off JavaScript by clicking the blue “S” by the green onion within the TOR browser.
“Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect,” TOR wrote. “A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings.”
Obviously, TOR is upset with this zero day exploit as it basically renders TOR useless by completely eliminating the reason why people TOR. The project is so upset by it that they have basically told people to abandon using Windows all together. “Really, switching away from Windows is probably a good security move for many reasons,” they wrote in the security advisory posted Monday.
While that’s not really a realistic option for most people, I guess I can understand their frustration.