Things running through my head: metadata, traffic analysis, tor, darknets, meshnets/ tor over meshnet, etc, etc That kind of stuff should all be off by default. Just saying.Īlso, my vote is to keep the javascript bit out of the subsequent tor updates / releases. Will it ever be made available in a way such that it can be incorporated directly into browser x, y, or z (any browser) as a button that you would click on in your browser, and right then, you are connecting to the tor network?īecause (assuming the security issues are addressed) I think that would be a really neat feature. TBB updates, fixes, etc… is this also happening for Tails?Īnd, I’m curious if Tor will ever be developed into something like an extension for Chrome, for example. Has that been done yet? If not, is the issue / problem related to a need for more volunteers, more donations, something else entirely?Īnd, re. Not sure if this has been finished yet, but some time back there was this effort to bulk up ECC / keys and deal with hidden services problems and address other Tor issues. weird, at the very least, that they would target something that only a small number of TOR users would be using to test. It also appears that the attack was specifically aimed at people using the Alpha Version of Tor Browser Bundles “No Vidalia needed” version that came out before the latest. This “became” a 0day on 25 June – when the FBI knew about it is still, ontologically, an open question.Īgreed, Daniel. Is there any way to confirm that this FBI malware hasn’t been used prior to the 25 June public disclosure of the memory bug being exploited? Just because we’re seeing this latest Tor exploit today doesn’t mean it’s not been used previously – or does it? Are we all so confident that we’d know if this exploit was being used, say, 3 months ago in a more selective manner… but nobody noticed? The number of users vulnerable to this (those who aren’t up to date) is dropping fast so the exploit is losing most of its value anyway. This wasn’t a “zero day” attack, it was an exploit based on a security advisory from 6 weeks ago. It would ideal for most Firefox people to updated to the latest all the time, however I don’t know if even a majority are updated to the latest according the analytics sites like statcounter and netapplications. I expected Zero day attacks by the feds to be for more selective high level secretive espionage purposes, however the fact that they used it to bust up a child porn ring ( as horrific as it is) makes it seems that zero days in Firefox aren’t as hard to come by as I thought. Is it known what was contained in the content_1.html payload? The one loaded into the iframe in ESR versions < 17, and are these versions immune to the exploit? Maybe we're missing something else, contained in that page. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. People who are on the latest supported versions of Firefox are not at risk.Īlthough the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. Browse free.Ĩ comments on “Investigating Security Vulnerability Report” We are actively investigating this information and we will provide additional information when it becomes available.ĭirector of Security Assurance Browse fast. Firefox 17 is currently the extended support release version. Mozilla has been notified of a potential security vulnerability in Firefox 17. Firefox users should follow these instructions to confirm they are running the latest version of Firefox (currently version 22 and 17.0.7 for ESR) which contains the fixes for this vulnerability. This vulnerability was fixed in Firefox versions 17.0.7 and 22, which were released on June 25, 2013. Mozilla has been alerted that this issue is being actively exploited in the wild and urges all users to make sure their Firefox is up to date. If a user is running an outdated version of Firefox, then this vulnerability could be used by an attacker to execute malicious software on a victim’s machine. Users who are on the latest version of Firefox (version 22) or Firefox ESR (version 17.0.7) are not at risk. Upon investigation we confirmed the vulnerability and determined the root of the issue was related to MFSA 2013-53. Mozilla was notified on Augof a potential security vulnerability with Firefox 17 (current general release is Firefox 22).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |