Although the Browser Bundle will automatically check for a new version, it is possible that some users didn't upgrade, which could have put them at risk. Several TOR Browser Bundle versions were fixed over a four-day period starting June 26. Requests to websites on TOR take a circuitous route through a network of servers around the world designed to obscure a computer's IP address and other networking information that makes it easier to link a computer to a user. The bundle's browser, based on Firefox, is specially configured to visit TOR sites, which have URLs that look like ". The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle. "A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings." "Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect," TOR wrote. The TOR Project also advised users to turn off JavaScript by clicking the blue "S" by the green onion within the TOR browser. "This exploit doesn't look like general purpose malware it looks targeted specifically to unmask Tor Browser Bundle users without actually installing any backdoors on their host," said Vlad Tsyrklevich, a security researcher who analyzed the code, in an email. The script collected the hostname and MAC (Media Access Control) address of a person's computer and sent it to a remote computer, the exact kind of data that TOR users hope to avoid revealing while surfing the Internet. The JavaScript was likely planted on certain websites that the attacker wanted to see who came to visit. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned. People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR. The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |