A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.
Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.
In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.
NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.
Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.
Related Stories
Zerodium Temporarily Stops Purchasing iOS Exploits Due to High Number of Submissions
Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.
Zerodium is an exploit acquisition platform that pays researchers for zero-day security vulnerabilities and then sells them to institutional customers like government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities, normally offering between $100,000 and $2 million per fully functional iOS exploit.
Also at The Register and Wccftech.
Previously: Zero-Day Broker Publishes a Price Chart for Different Classes of Digital Intrusion
Exploit Vendor Drops Tor Browser Zero-Day on Twitter
(Score: 0) by Anonymous Coward on Tuesday September 11 2018, @12:31PM
You know what to do.
(Score: 2) by The Mighty Buzzard on Tuesday September 11 2018, @01:11PM (3 children)
So it is a NoScript vulnerability not a ToR browser bug? Journalism today...
My rights don't end where your fear begins.
(Score: 5, Informative) by takyon on Tuesday September 11 2018, @01:44PM (2 children)
And some background on Zerodium:
https://en.wikipedia.org/wiki/Zerodium [wikipedia.org]
So according to Chaouki Bekrar, they have "many exploits" for Tor. This one stopped working on the latest Tor Browser branch, so they decided to throw it up onto Twitter to drum up some attention for their business, instead of reporting it to NoScript or Tor maintainers. I assume there are people still using the old Tor Browser, maybe because of the switch to Firefox Quantum.
Yup, this guy is an asshole [threatpost.com].
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Interesting) by edIII on Tuesday September 11 2018, @07:17PM (1 child)
This is why I think we should make it illegal to hold on to zero-days for our own avarice filled purposes. It should be treated no different as if I had knowledge of an impending murder, but chose to say nothing. If we forced responsible disclosure of zero-days and other such threats, then it would obviously lead to a more secure world. At least more secure than one with such exploits in the wild.
Likewise, a corporation once dutifully informed, is obligated to either fix the bug immediately, or inform all of its customers. If a specific category of IoT device, a recall is issued.
Right now it's like the Cold War, with corporations, governments, and hackers all vying for a stockpile of cyberweapons for their own purposes. Meanwhile, the world suffers.
I hope this douchenozzle running the corporation gets head to toe herpes.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 12 2018, @11:25AM
Making it illegal won't make me stop holding them. In fact, i cant think of any illegal thing, that i won't do because its illegal. Usually its not the "illegal", that stops me, its the "unprofitable".
"Meanwhile, the world suffers." - modernity discource detected, as if suffering was less before exploit brokers came into existence.
The "more secure world" is a logical extreme, has nothing to do with reality.
THERE EXISTS NO SECURITY, AND NEVER WILL EXIST
the only thing that's real is WAR
(Score: 2) by MrGuy on Tuesday September 11 2018, @01:18PM (2 children)
They found a security hole. The hole was patched. The patch was released (Tor 8, which is not vulnerable, has been out for about 2 weeks). What’s irresponsible about announcing a fixed, patched bug with a Generally released fix?
Other than announcing on Twitter, where’s the story?
(Score: 4, Insightful) by nobu_the_bard on Tuesday September 11 2018, @02:35PM
Sounds like an exploit company trying to drum up some attention using the husk of an asset they've already pumped for money and that recently dried up on them. It costs basically nothing for them to do at this point, but might get their name out there, so...
(Score: 2) by edIII on Tuesday September 11 2018, @07:18PM
That they're doing it for business purposes only. What about the other Tor exploits they say they have? Will those also be responsibly disclosed? Or withheld to make their security offerings more valuable?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Interesting) by DannyB on Tuesday September 11 2018, @01:23PM (1 child)
First I gave up on AdBlocker when it became apparent that their motivations were conflicted. They weren't strictly acting in my interests. It's called a USER Agent for a reason.
Then I gave up on NoScript for similar reasons. Especially when: it's okay to block ads, but not *our* ads.
So far uMatrix has been the best. It is simple for a nerd to use. It offers better, more complete, and more detailed control. As well as giving easy insight into how much crap any particular website is trying to load.
Something is clearly malfunctioning on SN because it doesn't show any scripts nor third party sites, oh my. Clearly such a thing is so unnatural that it could not be by deliberate wilful design.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @05:16AM
Supposing that were true, which I have not heard about NoScript, there is defense in depth: what NoScript may let through was already blocked by RequestPolicy.
(Score: 0) by Anonymous Coward on Tuesday September 11 2018, @01:38PM
so if js runs in tor after fooling a add-on it's "malicious code"?
that is a strange definition.
maybe all js is malicious instead, nevermind the browser engine?
(Score: 2, Insightful) by Anonymous Coward on Tuesday September 11 2018, @02:53PM (1 child)
Let me get this straight.... I discover and disseminate an exploit that can hack a computer that is perfectly legal. It takes somebody else using it to be an illegal act. But I discover and disseminate an exploit that circumvents copyright protection I've violated the DMCA. It doesn't matter whether I or anybody else use it.
Yep. There's a societal cognitive disconnect.
(Score: 1, Informative) by Anonymous Coward on Tuesday September 11 2018, @04:17PM
You are correct. But keep in mind that governments buy and use exploits to their benefit. Having laws against the sale or purchase of an exploit would be an annoyance for our government.
(Score: 3, Informative) by bob_super on Tuesday September 11 2018, @05:10PM (3 children)
As a user, I want NoScript to be the first thing parsing the page I'm accessing, and I want it to strip Absolutely Everything that looks, well, like a script.
I'm confused as to why this process can ever be bypassed by setting a certain type.
(Score: 4, Informative) by DannyB on Tuesday September 11 2018, @06:49PM (2 children)
An HTTP server can send all kinds of byte streams to your browser. How is your browser to know what these bytes mean?
HTTP begins with a series of extensible headers. One of those headers is Content-Type. (Another optional header is Content-Length, for example, and many others, like Content-Disposition.)
When the browser sees a certain Content-Type, it knows that the byte stream is a PNG image, and doesn't have any scripts to scan. Or it knows that the content stream is an MKV video stream. Or a plain text content. Or executable content intended for a Windows OS.
What happens for the exploit is that another Content-Type can contain JavaScript, but NoScript does not know to recognize this and process it accordingly.
I hope that helps your confusion.
Given the vast number of content types, and that many of them are binary, or various forms of text (JSON, XML, YAML, CSV, HTML, DIF, SYLK a ZIP file, ad nausea), or various binary types, it is on NoScript to understand which content types might contain JavaScript.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Tuesday September 11 2018, @07:02PM (1 child)
Thanks for the write-up. I kinda knew that, but the subtext is the same as for the somehow-still-a-thing buffer overflow attacks: I don't want to execute this data. Just don't. Never pass this address to the PC or copy this data into a place where it could get executed. Period.
Which is too much to ask of an extension, and should be in the browser engine itself: read and interpret the page, but never ever run any script that goes beyond basic formatting (list the explicit safe objects which can be manipulated) in there without my explicit permission. Leaving me with mostly borked internet pages, a non-starters since that turns off >98% of users.
(Score: 3, Informative) by DannyB on Tuesday September 11 2018, @09:00PM
Buffer overflow attacks would be a thing about using a low level language, like C, and programing techniques where you pass addresses without lengths, or don't properly do length checking. A problem far removed from what is being described at the high level.
NoScript doesn't have control of how the browser processes the byte stream once NoScript allows the browser to process it. I haven't seen NoScript's source code, nor how it interfaces with the browser. I suspect it basically works like this. NoScript gets the incoming info, and can decide whether to hand it to the browser or not. Potentially NoScript can edit the content, and hand it to the browser. Whether it can edit it, I do not know, and is not so important to understand the problem.
If NoScript decided it is not interested in the content, and does not need to block it, then it hands the byte stream to the browser which processes it -- including exploits that happen within the browser, or other browser plugins, if any.
So NoScript sees this Content-Type, doesn't know to check it, or edit it, for JavaScript content, and hands it to the browser. The browser then handles the content as it would whether or not NoScript was installed.
Basically, NoScript has veto power, or possibly censorship editing power over byte streams, and will take actions on certain types of content.
The lower I set my standards the more accomplishments I have.
(Score: 3, Informative) by Anonymous Coward on Tuesday September 11 2018, @08:33PM (1 child)
https://tech.slashdot.org/comments.pl?sid=12595462&cid=57288702 [slashdot.org]
https://slashdot.org/~Giorgio+Maone [slashdot.org]
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @12:02AM
We should get this dude to come hang out on SN. Doesn't he care about Beta being craptactular at all? Guess that's what you get for being sloppy with your UX ideals...
(Score: 2, Interesting) by Anonymous Coward on Wednesday September 12 2018, @12:24AM (2 children)
For anyone using Tor who only now got the wakeup call: don't use Torbrowser for really sensitive matters. Use Tails [soylentnews.org] instead. If you get pwned by the government, there won't be anything on the machine to identify or incriminate you. As a bonus, using a one-size-fits-all platform helps with browser fingerprinting.
Tails can be installed on a flash drive with a persistent, encrypted partition. Put it on a MicroSD card, keep it in an SD adapter. Should it become necessary, you can hide/throw away/swallow the MicroSD with ease and leave no trace of what you have been using your laptop for.
(Score: 2) by linuxrocks123 on Wednesday September 12 2018, @04:22AM (1 child)
Swallowing the card may not be enough: https://petapixel.com/2016/06/13/swallowed-64gb-microsd-card/ [petapixel.com]
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @05:08AM
Swallowing is not "to get rid of it", just plausible deniability. If they don't know you had one in the first place, they will not come looking. But I'd wager it'd be hard to notice even in a cursory X-Ray. Those cards are fucking tiny.
If you wanna be sneaky, use a double-layered belt and jam the card between the layers. There are probably more ways to hide a microSD on the spot.