Tor Browser Bundle for Windows users susceptible to info-stealing attack

Analysts link exploits of Firefox 17 vulnerabilities to crackdown on child-porn operation

Users running the Firefox-based Tor Browser Bundle for Windows are being targeted by an attack that lets the perpetrator snag victims' host names and MAC addresses or even take over their systems, according to the official Tor Project blog. Various reports have linked the attack to Federal agencies, possibly as part of a crackdown on Freedom Hosting for alleged distribution of child pornography.

Tor is a network of virtual tunnels through which users can share information anonymously. Tor directs Internet traffic through a worldwide volunteer network of 3,000-plus relays to conceal user location or usage. Software developers use the network to create new communication tools with built-in privacy features; other organizations use the serve to conduct confidential business, both legal and illicit.

Analysts have linked the attacks to the shutdown of Freedom Hosting, a purveyor of secret services for sharing child pornography. Freedom Hosting went offline over the weekend. Eric Eoin Marques, who is allegedly behind Freedom Hosting, faces extradition later this week in a Dublin high court for distributing and promoting child abuse material online. Marques is a dual citizen of the United States and Ireland and currently resides overseas.

The attackers are exploiting a vulnerability in Firefox 17.0.7 ESR (Extended Support Release), for which Mozilla issued a patch last year. Mozilla recommended that Firefox ensure their browsers are up to date. Similarly, the Tor Project advised that users of the Tor Browser Bundle, which includes Firefox plus privacy patches, to update to one of the following versions: 2.3.25-10 (released June 26, 2013), 2.4.15-alpha-1 (released June 26, 2013), 2.4.15-beta-1 (released July 8, 2013), or 3.0alpha2 (released June 30, 2013.)

"The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the host name and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit," according to Tor project leader Roger Dingledine. "The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services. We don't currently believe that the attack modifies anything on the victim computer."

Notably, the vulnerability affects only Windows users, according to Tor Project. "To be clear, while the Firefox vulnerability is cross-platform, the attack code is Windows-specific. It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack," wrote Dingledine.

Dingledine suggested that users consider switching to a "live operating system" approach, such as Tails, or at least dumping Windows. "Really, switching away from Windows is probably a good security move for many reasons," he wrote.

The Tor Project has taken pains to distance itself from Freedom Hosting while defending the value of its network for hosting hidden services. "Anyone can run hidden services [on Tor], and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them," read a Tor Project blog post that went up over the weekend.

"The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research," according to the post.

Tor has also been linked to illicit and unsavory activities, such as leaking sensitive information, hacktivism, copyright infringement, selling drugs and black-market goods, and laundering money.

Beyond urging Tor Bundle Users to keep their software up to date, Dingledine suggested that users consider disabling JavaScript. Doing so, he wrote, "will reduce your vulnerability to other attacks like this one, though he cautioned that disabling JavaScript can also cause some sites not to load or run properly.

"A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings," according to Dingledine. "You might also like Request Policy. And you might want to randomize your MAC address, install various firewalls, etc."

This story, "Tor Browser Bundle for Windows users susceptible to info-stealing attack," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.