Tor(ched): Zerodium drops exploit for version 7 of anonymous browser

Bug allows malicious scripts to run even with protections active

Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system.

The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw.

Also posted was a proof of concept script showing the exploit in action.

As Zerodium notes in its disclosure, the vulnerability is active even when the user is running the browser with NoScript, a Javascript-blocking extension that is included with the Tor browser (but is not set to active by default. This means that even when running a fully-patched version of Tor 7.x with maximum security settings, an attacker would be able to get malicious scripts up and running on the targeted machine.

Fortunately, last week's release of Tor browser 8.0 is not subject to the security bypass vulnerability, so getting rid of the flaw is as simple as grabbing the latest version of the software.

Unfortunately, that likely was not the case for much of the time this vulnerability was known of, and sold by the bug-hunting biz.

Zerodium, who counts government organizations among the subscribers to the research feed where it discloses purchased bugs, has reportedly made word of the flaw known for "months" prior to Monday's disclosure. This means that some government organizations could potentially have had the ability to get code onto a fully-patched version of the Tor browser for weeks now.

The company did not respond to a Register request for comment on the matter. ®




Biting the hand that feeds IT © 1998–2018