back to article Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users. Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and …

  1. Ole Juul

    context

    "This is a JavaScript exploit actively used against Tor Browser now," the author wrote.

    JavaScript is a convenience allowed for casual TorBrowser use. When using Tor for serious security, and where becoming identified could have serious consequences, JavaScript is always turned off.

    1. Anonymous Coward
      Anonymous Coward

      Re: context

      Even better, treat Javascript as a convenience option that's blocked by default, and only enable it if you choose to take the risk for a specific site and use.

      1. Ole Juul

        Re: context

        Good idea. But there is already "security slider" which goes from high to low and which automatically adjusts various aspects like that without the user having to understand a lot of details.

        1. Anonymous Coward
          Anonymous Coward

          Re: context

          Noscript is fairly obsolete. Tor Browser should find a better default blocker, preferably one with paranoid default settings.

          Has anyone gotten uMatrix to work with TB? I gave it a quick try but Noscript seems to be all tangled up with TB's security enhancements... which could be streamlined if the default blocker addon had the right defaults.

  2. EJ

    NoScript FF add-on

    It's a wonderful thing.

  3. Crazy Operations Guy

    "First off, it's a garden variety use-after-free, not a heap overflow, and it affects the SVG parser Firefox."

    So the flaw isn't an extremely incompetent programmer, just a garden-variety terrible programmer? Seriously, use after free errors are way too basic of an error to occur with something that is supposed to be secure. I'm concerned that this was caused by a programmer getting too many 'potential use-after-free' error messages that the compiler was throwing so just decided to turn that feature off rather than try to fix the errors.

    As for SVGs, why in the holy fuck, does an -image parser- have access to networking functions? The only thing it should be doing is to draw shapes on a canvas and then send the canvas to a BMP for the browser to paste into the webpage.

    Oh well, I suppose its back to Lynx for my secure web browsing needs...

  4. Anonymous Coward
    Linux

    Access to VirtualAlloc in kernel32.dll

    I can't find kernel32.dll on my computer, how am I supposed to run this advanced computing innovation here?

  5. Ole Juul

    Update

    This thread is a couple days old, but in case anybody is still watching, there is a patch being pushed out right now and most people should have it automatically already. Also, here is a description of the problem:

    * It looks like the vulnerability was in Firefox's SVG animation, so the exploit does not work unless you have both svg and javascript enabled. The "high" setting of Tor Browser's security slider disables both of these pieces of the browser.

    So, it wasn't very serious in the first place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021