An exploit for a vulnerability in Tor Browser was delivered today in a tweet that left sufficient room for comments. A security vulnerabilities broker disclosed the details because it no longer served its purpose.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
The recently released Tor Browser 8 is based on the new Firefox Quantum engine and did not inherit the flaw; neither is the latest NoScript version, which was re-written as a web extension.
Zerodium burning this exploit was also prompted by the fact that Tor Browser, like all modern browsers, comes with an auto-update mechanism, which is enabled by default.
This makes sure that users are not affected in any way by exploits that have already been addressed. One can disable this feature from the ‘app.update’ parameter in the ‘about:config’ menu.
While some users prefer to deploy updates manually for sensitive software such as Tor Browser, the mechanism proves beneficial in such instances.
Giorgio Maone, the developer of NoScript, said today on Twitter that he updated the classic version of the add-on to 184.108.40.206, which continues to be actively developed for users of Firefox 52 ESR (Extended Support Release).
The release notes for the new release ‘thank’ Zerodium for “unresponsible disclosure.”
Fixed in 220.127.116.11 “Classic”: https://t.co/UVKqsYJ7vN
You may need to open about:config and set your xpinstall.signatures.required to false in order to install, since @mozilla’s @mozamo doesn’t support signatures for legacy add-ons anymore.
cc: @torproject , @campuscodi
— Giorgio Maone (@ma1) September 10, 2018