Stories
Slash Boxes
Comments

SoylentNews is people

Exploit Vendor Drops Tor Browser Zero-Day on Twitter

posted by Fnord666 on Tuesday September 11 2018, @12:18PM   Printer-friendly
from the land-of-tor dept.

An Anonymous Coward writes:

A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.

In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.

NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.

Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Exploit Vendor Drops Tor Browser Zero-Day on Twitter | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by DannyB on Tuesday September 11 2018, @01:23PM (1 child)

    by DannyB (5839) Subscriber Badge on Tuesday September 11 2018, @01:23PM (#733133) Journal

    First I gave up on AdBlocker when it became apparent that their motivations were conflicted. They weren't strictly acting in my interests. It's called a USER Agent for a reason.

    Then I gave up on NoScript for similar reasons. Especially when: it's okay to block ads, but not *our* ads.

    So far uMatrix has been the best. It is simple for a nerd to use. It offers better, more complete, and more detailed control. As well as giving easy insight into how much crap any particular website is trying to load.

    Something is clearly malfunctioning on SN because it doesn't show any scripts nor third party sites, oh my. Clearly such a thing is so unnatural that it could not be by deliberate wilful design.

    --
    The lower I set my standards the more accomplishments I have.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 0) by Anonymous Coward on Wednesday September 12 2018, @05:16AM

    by Anonymous Coward on Wednesday September 12 2018, @05:16AM (#733495)

    Then I gave up on NoScript for similar reasons. Especially when: it's okay to block ads, but not *our* ads.

    Supposing that were true, which I have not heard about NoScript, there is defense in depth: what NoScript may let through was already blocked by RequestPolicy.