CYBER NEWS

Tor Browser de Vulnerabilidade Zero-Day Revelado: patch imediatamente!

Zerodium informou recentemente a descoberta de um novo zero-day exploit no navegador Tor. O mesmo explorar fornecedor no início deste ano oferecido $1 milhões para a apresentação de tal um exploit para o navegador Tor. The new Tor zero-day could reveal the identity of the websites visited by the user.




Zerodium Reveals Tor Browser Zero-Day in a Tweet

Тhe exploit vendor reported the flaw and gave instructions on how it can be reproduced in a tweet posted on Monday. It appears that the recently released Tor Browser 8 is not affected by the zero-day:

Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safestsecurity level (supposed to block all JS). PoC: Set the Content-Type of your html/js page totext/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is not affected.

As visible by the tweet, the exploit is about a vulnerability in the Tor browser but in fact it impacts NoScript. NoScript is a well-known Firefox extension which guards users from malicious scripts by allowing JavaScript, Java, and Flash plugins to be executed only on trusted websites. It should be noted that the Tor Browser is based on Firefox’s code, thus it includes NoScript by default.

Zerodium says that NoScript versions 5.0.4 para 5.1.8.6 can be bypasses to run any JS file by altering its content-type header to JSON format. This can happen even when the “Safest” security level is enabled. This means that a website can take advantage of this zero-day to execute malicious JavaScript on Tor browser and to obtain the real IP address of the victim.

Felizmente, the latest version of Tor is not affected by this vulnerability, simply because the NoScript plugin for the Quantum version of Firefox is based upon a different API format. Contudo, users running Tor 7.x are urged to update the browser as soon as possible to the latest release to avoid any compromise.

Finalmente, NoScript was notified about the issue and fixed the flaw with the release of NoScript “Classic” version 5.1.8.7.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...