Zero-Day Vulnerability Discovered in Tor Browser 7.x: The latest version of Tor browser is unaffected; Zerodium today issued an advisory via Twitter of a zero-day vulnerability that was discovered in Tor browser 7.x.
One of the twitter user @x0rz tweeted that the vulnerability is infact so easy to reproduce.
“More concerning than a single vulnerability against a single browser version, even if Tor, is the wide range of exploits tracked by Zerodium,” said Mukul Kumar, CISO and VP of cyber practice at Cavirin.
“The attack surface is large, and the hackers have multiple the entry points. To maintain one’s cyber posture requires diligence and a multi-layer approach to security that includes OS and application hardening, patching, and user training, not to mention firewalling, encryption.”
Zerodium is advanced platform for zero-day vulnerabilities. The company buys the vulnerabilities and then resells the information to federal government, said Chris Morales, head of security analytics at Vectra. “This announcement is being made months after the flaw was first discovered and provided to government agencies. The flaw is patched in the latest version of Tor, so the announcement was intended as more informational as the solution is to simply update to Tor Browser 8.0.”
However, NoScript author Giorgio Maone who tweeted, “It’s a bug that caused by a work-around for NoScript blocking the in-browser JSON viewer. Thanks @campuscodi for notifying me of the zero day announcements, nobody else did 🙁 A fix is on its way, matter of hours or less. Stay tuned!”
According to Morales, one of the big questions that rose is whether the vulnerability was used by government agencies to access the systems they believed were being used by the targeted individuals.
“Tor does not serve a legitimate business function and is commonly blocked in major enterprises as a risk. We see Tor used by the attackers as a form of bypassing the perimeter security controls to establish the remote access and for command and control. Tor is also used to anonymize the activity to the webs that person would not want to be monitory as ISP or government entity. This vulnerability would allowed someone to do exactly that – monitor someone who did not want to be seen.”