Security Experts:

Tor Tells Users to Upgrade Browser Bundle After Freedom Hosting Attack

More information is trickling out about a Firefox vulnerability used to compromise some users of the Tor network as speculation about the origin of the attack continues to swirl.

While rumors of a compromise of the Tor network had begun to spread during the weekend, it appears now that the attack exploited a flaw in the Firefox browser, which is included in the Tor Browser Bundle. The vulnerability at the center of the controversy is MFSA 2013-53, which was patched in Firefox 22 and Firefox 17.07 ESR.

According to the Tor Project, the following versions of the Tor Browser Bundle include a fix:

    2.3.25-10 (released June 26, 2013)

    2.4.15-alpha-1 (released June 26, 2013)

    2.4.15-beta-1 (released July 8, 2013)

    3.0alpha2 (released June 30, 2013)

"In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable," according to a security advisory from the Tor Project. "But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack."

"It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack," the advisory continued. "The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services."

News of the compromise followed the arrest in Ireland of Eric Eoin Marques. According to the, authorities in the U.S. are currently trying to have Marques extradited on child pornography charges. News reports have linked him to Freedom Hosting, a hidden service provider reachable through the Tor Network that has been accused of ties to child pornography  in the past.

Around midnight on Aug. 4 - just three days after Marques' Aug. 1 arrest, Tor was notified that a large number of hidden service addresses had disappeared from the Tor Network. Rumors quickly began to circulate that sites served by Freedom Hosting had been compromised with code designed to unmask the identity of anyone visiting them and sending the information back to an IP address in the Washington D.C.-area. The IP address has been linked to defense contractor SAIC [Science Applications International Corporation].

In an analysis of the malware, researcher Vlad Tsyrklevich wrote that the payload connects to the IP address and sends it an HTTP request that includes the hostname and the MAC address of the local host.

"Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA [law enforcement agency] and not by blackhats," he wrote.

"The revelations will prove worrying for many legitimate Tor users, who rely on the service to protect them from snooping by government agencies," blogged John Hawes, technical consultant and test team director at Virus Bulletin. "While it may sometimes be used for criminal purposes, Tor also often allows access to freedom of speech which might otherwise be denied to people in certain parts of the world."


view counter