This article is more than 1 year old
Tor(ched): Zerodium drops exploit for version 7 of anonymous browser
Bug allows malicious scripts to run even with protections active
Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system.
The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
— Zerodium (@Zerodium) September 10, 2018
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
Also posted was a proof of concept script showing the exploit in action.
Very easy to reproduce the Zerodium Tor Browser 7.x NoScript bypass vulnerability https://t.co/k78ejoavWl #TorBrowser #vulnerability pic.twitter.com/k1mUJZUo77
— x0rz (@x0rz) September 10, 2018
As Zerodium notes in its disclosure, the vulnerability is active even when the user is running the browser with NoScript, a Javascript-blocking extension that is included with the Tor browser (but is not set to active by default. This means that even when running a fully-patched version of Tor 7.x with maximum security settings, an attacker would be able to get malicious scripts up and running on the targeted machine.
Fortunately, last week's release of Tor browser 8.0 is not subject to the security bypass vulnerability, so getting rid of the flaw is as simple as grabbing the latest version of the software.
Unfortunately, that likely was not the case for much of the time this vulnerability was known of, and sold by the bug-hunting biz.
Zerodium, who counts government organizations among the subscribers to the research feed where it discloses purchased bugs, has reportedly made word of the flaw known for "months" prior to Monday's disclosure. This means that some government organizations could potentially have had the ability to get code onto a fully-patched version of the Tor browser for weeks now.
The company did not respond to a Register request for comment on the matter. ®