TOR Project: Stop using Windows, disable JavaScript

The anonymizing network gives some advice following a startling Firefox zero-day vulnerability

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network.

The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network.

"Really, switching away from Windows is probably a good security move for many reasons," according to a security advisory posted Monday by The TOR Project.

The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.

The JavaScript was likely planted on certain websites that the attacker wanted to see who came to visit. The script collected the hostname and MAC (Media Access Control) address of a person's computer and sent it to a remote computer, the exact kind of data that TOR users hope to avoid revealing while surfing the Internet.

"This exploit doesn't look like general purpose malware; it looks targeted specifically to unmask Tor Browser Bundle users without actually installing any backdoors on their host," said Vlad Tsyrklevich, a security researcher who analyzed the code, in an email. He published an analysis on his website.

The TOR Project also advised users to turn off JavaScript by clicking the blue "S" by the green onion within the TOR browser.

"Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect," TOR wrote. "A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings."

The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle. The bundle's browser, based on Firefox, is specially configured to visit TOR sites, which have URLs that look like "http://idnxcnkne4qt76tg.onion/."

Requests to websites on TOR take a circuitous route through a network of servers around the world designed to obscure a computer's IP address and other networking information that makes it easier to link a computer to a user.

Several TOR Browser Bundle versions were fixed over a four-day period starting June 26. Although the Browser Bundle will automatically check for a new version, it is possible that some users didn't upgrade, which could have put them at risk.

"It's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services," The TOR Project wrote.

Although unconfirmed, computer security experts have theorized the malware may have been used by law enforcement to collect information on people who browsed certain TOR websites supported by a company called Freedom Hosting.

That hosting company is believed to be connected to a 28-year-old man, Eric Eoin Marques. He is being held by Irish authorities pending an extradition request from the U.S. on charges of distributing and promoting child pornography, according to the Irish publication the Independent.

In response to a query about the case, the FBI said Monday that someone had been arrested as part of an investigation, but did not identify the person.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags The TOR Projectapplicationssecuritybrowserssoftwaremalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?