Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica) [LWN.net]

Ars technica is one of many sites with coverage of the Firefox exploit that was used to attack the anonymity of Tor users. "The attack code exploited a memory-management vulnerability, forcing Firefox to send a unique identifier to a third-party server using a public IP address that can be linked back to the person's ISP. The exploit contained several hallmarks of professional malware development, including 'heap spraying' techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, according to an analysis by researcher Vlad Tsrklevich."

to post comments

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:29 UTC (Mon) by bjacob (guest, #58566) [Link] (10 responses)

It is worth noting that the exploit was specifically in the outdated Firefox 17 version; while a branch of Firefox 17 is still maintained as part of the "ESR" long-term support program, the point of ESR is not to maximize security --- it is rather to accomodate the needs of organizations that prefer a slower pace of releases --- and Mozilla has explicitly communicated that ESR releases would be *less* secure than standard ones, because the realities (complexity vs pace of change vs attack surface) of modern browsers make it so that the more frequently updated branch is also the more secure one.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:36 UTC (Mon) by bjacob (guest, #58566) [Link] (9 responses)

Oh, and in fact, even the ESR branch was already secure in this case --- it had received the backport of the security fix as part of the ESR 17.0.7 release on June 25.

http://www.mozilla.org/security/announce/2013/mfsa2013-53...

So was Torbrowser using an *unsupported* Firefox release until now ?! That seems to defeat the point of a would-be anonymizing browser.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:49 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] (2 responses)

Attackers are going to focus on whatever version Tor bundles, since non-expert Tor users are going to use the setup that makes it easy.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 5, 2013 23:53 UTC (Mon) by k8to (guest, #15413) [Link] (1 responses)

In fact, the TOR project explicitly recommends using the bundle because of the nontrivial nature of ensuring nothing exposes the browser.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 17:54 UTC (Tue) by rahvin (guest, #16953) [Link]

This is very important and I'm glad you posted it. Those Syrian rebels using TOR need to understand that this is a non-trivial task, without some custom configuring you can read cookies and other information that can identify the user. If you use the TOR browser bundle at start up it checks for a new version, it also provides no-script by default and setups all the little configuration details to ensure there is no access to cookies or other identifying information. The rebels lives depend on their identities not being revealed and they aren't the only group of people in this world that need the protection of anonymous browsing.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 0:53 UTC (Tue) by cesarb (subscriber, #6266) [Link] (1 responses)

> So was Torbrowser using an *unsupported* Firefox release until now ?

No.

https://blog.torproject.org/blog/tor-security-advisory-ol...

If that blog post says the truth (and I have no reason to doubt it), and I am reading it correctly, a fixed version had already been released more than a month ago.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 1:10 UTC (Tue) by bjacob (guest, #58566) [Link]

Great, thanks for the link. That clarifies it.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 6:08 UTC (Tue) by gmaxwell (guest, #30048) [Link] (3 responses)

And TBB is ESR at least in part because of the non-trivial cost in carrying around the patches required to close information leaks in the browser and otherwise harden it.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 6:51 UTC (Tue) by pabs (subscriber, #43278) [Link] (2 responses)

It would be awesome if TBB were merged into the Firefox private browsing mode.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 9:53 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (1 responses)

The stance from browser vendors is that the "private" mode is only supposed to prevent embarrassing scenarios where, e.g. autocomplete takes your daughter to your favourite porn site, or your spouse accidentally opens a tab with all the hotel details for the surprise anniversary weekend away you just booked. The messages displayed when you activate this mode in various popular browsers align with that.

It's like password masking, using rot13 on the stored password doesn't make it difficult for bad guys to find the original password but it means someone who happens to glance at the config file is much less likely to come away with "MoonMoonForPresident" seared into their memory. Or think of it like the lock on a typical bathroom door. Can I open the lock from the "wrong" side with the tools in my pocket? Yes I can. But people don't, because they don't want to walk in someone using the toilet, the feeble lock is a prompt to remind us of a social convention and nothing more.

TOR is a big deal, to get any benefit users have to understand what it is and is not doing, and what that means for how they use a browser. Just labelling it "Super private mode" would be false advertising. Not to mention that then obviously TOR will be incredibly slow for everyone so they'll presumably switch it back off again and pronounce the whole thing a "waste of time".

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 10:01 UTC (Tue) by pabs (subscriber, #43278) [Link]

Looks like Mozilla are considering integrating the TBB into Firefox now:

https://twitter.com/BrendanEich/status/364265592112414720

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 18:32 UTC (Tue) by brouhaha (subscriber, #1698) [Link] (4 responses)

Since the IP address block apparently belongs to the NSA, this strongly suggests that the NSA is willfully violating the Computer Fraud and Abuse Act of 1986 (18 U.S.C. § 1030), a felony punishable by up to ten years in prison.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 19:01 UTC (Tue) by job (guest, #670) [Link] (3 responses)

How can you tell? I wouldn't expect the NSA to front their own network when running clandestine black hat operations on the public Internet. Not surprisingly is this IP address part of a big netblock of unnamed commercial customers of a large Tier 1. So how does one know?

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 21:16 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] (2 responses)

The NSA folks aren't fools. I think that this attack was designed to be discovered, along with the NSA address, because it would have been so easy to use a machine anywhere on the net, or more than one, to receive the unique IDs. I can think of two possibilities: to scare people away from Tor, or to make it appear as if the NSA is the culprit.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 22:03 UTC (Tue) by raven667 (guest, #5198) [Link]

> The NSA folks aren't fools.

These folks aren't super-human either and secrecy hides much incompetence, sure they _could_ have done what you say but isn't it more likely that the person who set this up just didn't think about it or didn't personally have access to budget for new resources to hide this.

Attackers wield Firefox exploit to uncloak anonymous Tor users (ars technica)

Posted Aug 6, 2013 23:02 UTC (Tue) by job (guest, #670) [Link]

Then tell me how it was discovered. Because I do not see it.

Yes, because of the comparably restricted payload and the nature of the websites it is likely it there is some law agency behind it, probably North American. There leaves us with a handful, plus whatever private contractors that offer these services.