While the latest version of the Tor browser is unaffected, Zerodium today issued an advisory via Twitter of a zero-day vulnerability in the Tor browser 7.x.
According to Zerodium, who buys and sells vulnerabilities in software, the browser is reported to have a serious vulnerability – a backdoor that leads to full bypass of Tor’s security protections. The NoScript browser extension is supposed to block all JavaScript at the “safest” security level, but the backdoor enables an attacker to execute malicious code even if the blocking extension is activated.
A Twitter user who goes by the handle @x0rz tweeted that the vulnerability is very easy to reproduce.
“More concerning than a single vulnerability against a single browser version, even if Tor, is the wide range of exploits tracked by Zerodium,” said Mukul Kumar, CISO and VP of cyber practice at Cavirin.
“The attack surface is large, and the hackers have multiple entry points. To maintain one’s cyber posture requires diligence and a multi-layer approach to security that includes OS and application hardening, patching, and user training, not to mention firewalling, encryption.”
Zerodium is an acquisition platform for zero-day vulnerabilities. The company buys vulnerabilities and then resells the information to the federal government, said Chris Morales, head of security analytics at Vectra. “This announcement is being made months after the flaw was first discovered and provided to government agencies. The flaw is patched in the latest version of Tor, so the announcement was intended as more informational as the solution is to simply update to Tor Browser 8.0.”
However, NoScript author Giorgio Maone tweeted, “It's a bug caused by a work-around for NoScript blocking the in-browser JSON viewer. Thanks @campuscodi for notifying me of the zero day announcement, nobody else did :( A fix is on its way, matter of hours or less. Stay tuned!”
According to Morales, the big question here is whether the vulnerability was used by government agencies to access systems they believed were being used by targeted individuals.
"Tor does not serve a legitimate business function and is commonly blocked in major enterprises as a risk. We see Tor used by attackers as a form of bypassing perimeter security controls to establish remote access and for command and control. Tor is also used to anonymize activity on the web that a person would not want to be monitored by an ISP or government entity. This vulnerability would have allowed for someone to do exactly that – monitor someone who did not want to be seen.”