TOR Project: Stop using Windows, disable JavaScript

The anonymizing network gives some advice following a startling Firefox zero-day vulnerability

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network.

The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network.

"Really, switching away from Windows is probably a good security move for many reasons," according to a security advisory posted Monday by The TOR Project.

The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.

The JavaScript was likely planted on certain websites that the attacker wanted to see who came to visit. The script collected the hostname and MAC (Media Access Control) address of a person's computer and sent it to a remote computer, the exact kind of data that TOR users hope to avoid revealing while surfing the Internet.

"This exploit doesn't look like general purpose malware; it looks targeted specifically to unmask Tor Browser Bundle users without actually installing any backdoors on their host," said Vlad Tsyrklevich, a security researcher who analyzed the code, in an email. He published an analysis on his website.

The TOR Project also advised users to turn off JavaScript by clicking the blue "S" by the green onion within the TOR browser.

"Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect," TOR wrote. "A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings."

The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle. The bundle's browser, based on Firefox, is specially configured to visit TOR sites, which have URLs that look like "http://idnxcnkne4qt76tg.onion/."

Requests to websites on TOR take a circuitous route through a network of servers around the world designed to obscure a computer's IP address and other networking information that makes it easier to link a computer to a user.

Several TOR Browser Bundle versions were fixed over a four-day period starting June 26. Although the Browser Bundle will automatically check for a new version, it is possible that some users didn't upgrade, which could have put them at risk.

"It's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services," The TOR Project wrote.

Although unconfirmed, computer security experts have theorized the malware may have been used by law enforcement to collect information on people who browsed certain TOR websites supported by a company called Freedom Hosting.

That hosting company is believed to be connected to a 28-year-old man, Eric Eoin Marques. He is being held by Irish authorities pending an extradition request from the U.S. on charges of distributing and promoting child pornography, according to the Irish publication the Independent.

In response to a query about the case, the FBI said Monday that someone had been arrested as part of an investigation, but did not identify the person.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the PC World newsletter!

Error: Please check your email address.

Tags The TOR Projectapplicationssecuritybrowserssoftwaremalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?