When we talk about the ways to browse safely online, an option which strikes our minds right after VPN is TOR. Certainly, the TOR browser tops up all the secure browsers that allow you to surf the internet with safety and anonymity. However, like everything else, you cannot rule out the probabilities of bugs in this browser. Recently, a cybersecurity firm Zerodium has found out a TOR browser zero day that compromises its JS blocking feature.
Zerodium Discovered TOR Browser Zero Day Flaw
As revealed by ZDNet, the cybersecurity firm Zerodium has put up a short advisory in its recent tweet regarding a TOR flaw. They have discovered a TOR browser zero day vulnerability that compromises one of the TOR security features. As disclosed in the tweet, the bug allows bypassing the TOR’s ‘NoScript’ JS blocking feature.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.— Zerodium (@Zerodium) September 10, 2018
While they haven’t given any detailed proof-of-concept for this vulnerability, they have explained it briefly in their tweet.
‘NoScript’ is a typical browser extension that enables a user to block JavaScript, Java, and Flash on untrusted websites. The user can, however, select specifications for certain websites to allow running JS. Designed for all Mozilla-based browsers including Firefox and SeaMonkey, the plugin comes by default with TOR browser. This tool enhances the browser’s security feature by blocking all JS except on the whitelist.
The bug reported by Zerodium affects this particular TOR feature, allowing anyone to run malicious codes in the browser by simply bypassing the NoScript.
The Bug Was Patched Quickly
After noticing the tweet, ZDNet quickly approached Giorgio Maone who authored NoScript extension. Maone, in turn, stepped up to find the causes of this TOR browser zero day, and worked out to patch the flaw. Regarding the reason triggering this vulnerability, he explained that the bug was actually a “NoScript 5 “Classic” bug” that did not affect the TOR Browser 8 and NoScript 10 Quantum.
Reportedly, within 50 minutes from the disclosure, Giorgio Maone fixed the flaw in the NoScript “Classic” version 5.1.8.7 which is now available.
Fixed in 5.1.8.7 "Classic": https://t.co/UVKqsYJ7vN
You may need to open about:config and set your xpinstall.signatures.required to false in order to install, since Mozilla doesn't support signing for "Classic" (legacy) add-ons anymore.
— Giorgio Maone #SaveInternetFreedom (@ma1) September 10, 2018
The users of Firefox, TOR, and other browsers can simply download this patched NoScript version to mitigate the vulnerability. Likewise, TOR users running browser versions 7.x need to upgrade their browsers to the version 8.x. However, those already running TOR 8.x on their devices remain safe.
Let us know your thoughts in the comments section.
