Windows 10 News and info | Forum
September 23, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or Forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Exploit Affecting Tor Browser Burned In A Tweet  (Read 29 times)
javajolt
Administrator
Hero Member
*****
Online Online

Gender: Male
United States United States

Posts: 28947


I Do Windows


WWW Email
« on: September 11, 2018, 12:02:24 PM »
ReplyReply

An exploit for a vulnerability in Tor Browser was delivered today in a tweet that left sufficient room for comments. A security vulnerabilities broker disclosed the details because it no longer served its purpose.

The exploit was part of Zerodium's portfolio and worked for Tor Browser 7.x. It existed in the NoScript component, which is a browser add-on that stops web pages from executing JavaScript, Flash, Java or Silverlight.

An exploit that one can only assume Zerodium paid good money for, is just a matter of setting the Content-Type of the attacker's HTML/JS page, or a hidden service in the Tor network, to "text/html/json," to suppress any reaction from NoScript and permit all JavaScript code through.

The bug worked when the user configured NoScript to block out all JavaScript by selecting the add-on's "Safest" security level.



The recently released Tor Browser 8 is based on the new Firefox Quantum engine and did not inherit the flaw; neither is the latest NoScript version, which was re-written as a web extension.

Zerodium burning this exploit was also prompted by the fact that Tor Browser, like all modern browsers, comes with an auto-update mechanism, which is enabled by default.



This makes sure that users are not affected in any way by exploits that have already been addressed. One can disable this feature from the 'app.update' parameter in the 'about:config' menu.

While some users prefer to deploy updates manually for sensitive software such as Tor Browser, the mechanism proves beneficial in such instances.



Giorgio Maone, the developer of NoScript, said today on Twitter that he updated the classic version of the add-on to 5.1.8.7, which continues to be actively developed for users of Firefox 52 ESR (Extended Support Release).

The release notes for the new release 'thank' Zerodium for "unresponsible disclosure."



source
« Last Edit: September 11, 2018, 12:04:57 PM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 18, 2018, 08:23:30 PM