Tor(ched): Zerodium drops exploit for version 7 of anonymous browser
Bug allows malicious scripts to run even with protections active
Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system.
The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).— Zerodium (@Zerodium) September 10, 2018
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
Also posted was a proof of concept script showing the exploit in action.
Fortunately, last week's release of Tor browser 8.0 is not subject to the security bypass vulnerability, so getting rid of the flaw is as simple as grabbing the latest version of the software.
Unfortunately, that likely was not the case for much of the time this vulnerability was known of, and sold by the bug-hunting biz.
Zerodium, who counts government organizations among the subscribers to the research feed where it discloses purchased bugs, has reportedly made word of the flaw known for "months" prior to Monday's disclosure. This means that some government organizations could potentially have had the ability to get code onto a fully-patched version of the Tor browser for weeks now.
The company did not respond to a Register request for comment on the matter. ®