A Firefox/Tor Browser 0day JS+SVG exploit is actively being used in the wild.
It appears to be another FBI exploit targetting Tor Browser users. Firefox is aware of it and currently patching as fast as possible.
lists.torproject.org
The payload is almost identical to the 2013 Freedom Hosting exploit.
Other urls found in this thread:
arstechnica.com
thehackernews.com
lists.torproject.org
news.ycombinator.com
cvedetails.com
trac.torproject.org
en.wikipedia.org
w3.org
twitter.com
mozilla.org
en.wikipedia.org
twitter.com
Damn, that's like 5 0day exploits in the last 2 years. When was the last time a Chrome 0day was in the wild?
Looks like it goes after Windows users with Javascript enabled again too.
Here's a couple somewhat recent ones:
arstechnica.com
thehackernews.com
Yeah, but I think hacking team had to use a windows kernel font vulnerability to escape Chrome's sandbox. That was Windows fault.
>lists.torproject.org
According to Hacker News, this exploit is being used on a CP site called Giftbox.
Ignore that second link, missed the "in the wiild" part.
Here's a better list, but not necessarily in the wild:
cvedetails.com
lists.torproject.org
I ran this exploit code on my Mac to see what would happen. It crashed Firefox.. then I saw this:
Will the FUCKO squad be knocking my door soon?
The exploit only affects Windows at the moment, but the exploit can be repurposed for any OS that runs Firefox.
If you were using Windows, then maybe..
Only if your Mac was also running kernel32.dll, like if you were running Windows on it.
Inb4 shill- Tor Browser with security slider on high is a good default for most users and would prevent this exploit.
Does the security slider stop .svg files from loading?
Yes, the highest security slider setting disables SVG files from rendering. Tor Browser uses a custom patch to do it.
The high setting also disables Javascript by default.
The problem with Chrome is that it's so pozzed by Google "privacy is dead" that trying to safely use it with Tor is very difficult. trac.torproject.org
Ideally Firefox would adopt Chrome's security sandbox approach so you'd get the best of both.
Get fucked pedoshits
Remind me why does this shit exist instead of a real web vector image format
Tor browser needs to switch to Chromium, it's far more secure than Firefox.
see
What the fuck happened to this place
This place has always relied on facts. You provide none. Standard shill tactic is to insult your opponent when you have no argument.
Reminder, the FBI is the darkwebs biggest distributor of CP. This is a fact even mainstream technology press has written about.
I wouldn't be shocked if they even produce most of it given what's come out on PizzaGate - but that's just a guess.
What's going on here?
...
Okay user, sell us on Microsoft VML.
No your fine unless your on gift box then your fucked
Imagine if all images in the web were stored as dataURLs and xml text and can also contain scripts. That's what SVG is.
Place has been going downhill steadily, pretty obvious from the 6pph
en.wikipedia.org
I wonder if I am the only one here still who is old enough to have a BBS while my grandchildren get their diplomas.
Ah,ic. Only came back 'cause of 2 threads: Wikileaks, and Unix history todate:
Sad none can appreciate not only the work made, but the history made to this day. I can only hope my great grandchildren make better things.
Oh well, at the least >>>Holla Forums died with a ayy lamo.
It's not like chrome is used by tor.
You can encode vector data in XML format and also embed Javascript programs in the format? Obviously, such a data format can never be used in scalable vector graphics.
If you're the user I accused of being a shill and are truly who you say you are then my apologies. In these Tor related threads at least, you met all my criteria for one
- claim to have secret, insider knowledge
- spread FUD with no supporting evidence
- insult your opponents liberally
- claim "all is lost"
The real psyop is to create an environment of fear. What better way to censor a supposedly free people than to train them to censor themselves? By spreading FUD against basic security measures such as Tor and suggesting no alternatives you only perpetuate that and should consider if you are being used as a useful idiot/stooge.
If you can provide constructive criticism of places where Tor could be improved or specific measures people can implement to improve security beyond that, I'll happily back down. If you're just going to rehash known Tor weaknesses that have been covered a thousand times before, ima keep calling you shill. Stay or go, it's a free country.
>en.wikipedia.org
That's just an image. The image file is not relevant for that purpose, it's just the smallest file they can transfer.
Only the pedos who enabled JavaScript on Tor and browsed the Gift Box (which was obviously compromised) got caught.
How does it feel that your moralfag FBI will never arrest me?
But Tor Browser does not have it on high for default, and most wont change it.
JS is on by default
I wonder how many blackhats just crawl CP sites with bots all day?
They are a good source for 0day browser exploits.
Web browsers can be exploited without javascript. Disabling JS will not make you 100% safe. Modern web browser have insane attack surface.
And besides, one of the lead developers of Tor (arma) has heard a "rumor" about bugs is NoScript:
"That said, we've also been hearing rumors about bugs in Noscript that would let a website sneak some javascript past Noscript."
Everyone agrees, fuck the pedos, but the FBI just put thousands of companies and millions around the world at risk because their 0day firefox exploit leaked to the broader web.
And because of shitty policies, most companies will be using vulnerable versions of Firefox for months
Supposedly limited government hacking is a risk to everyone.
I patched firefox, but the SVG vulnerability is still crashing my browser.
click pause animation to trigger the vulnerability (this doesn't contain a malcious payload):
Pause animation 1 Animation 1: Animation 2:
Motherfucking thank you.
Several of the playpen cases were thrown out by judges on the basis of illegal evidence. Judicial shortcuts result in guilty men walking free.
This is the web site the exploit was used on. It was used after registering for the site.
It's a CP site, but the problem I have is there no indication it's a CP site from the homepage alone.
Actually only like 3 cases out of 100 were thrown out. Many other judge found the warrant illegal on a technically, but they kept the evidence because it was in "good faith"
Those "shortcuts" are designed to circumvent laws that restrict obtrusive government regulation and laws that protect citizens' rights to due process and equal treatment under that law. Your personal opinions about a social minority that is attracted to persons under 18 does not invalidate the United States constitution.
for other software, usually less than 5% of users change default settings
i wonder what percentage of Tor users change the default security setting
Their last NIT on a similar site resulted in about 1000 IPs from about 50000 weekly visits. No idea how many were repeat visits.
...
Are you doing this intentionally?
Whoa interesting. How they fuck did they manage to pull that off?
Nothing except trivial code is 100% bug-free. A better way is how the web used to be in the 90's, so you could use simple browser instead of needing huge mass of bugs. Netscape existed, but it wasn't mandatory the way Firefox & Co. are today. Instead they had fun pages with applets and shit, but nothing you couldn't live without.
It's actually was recently revealed to be 8000+ users in 120 countries.
C U C K S
Is there any image search that doesn't require JS?
So the first link is Flash, not Chrome?
Ofc most users don't disable Chrome's Flash but all sane people do.
You realize the exact same thing could be said for javascript, right?
mozilla.org
The latest furryfucks just patched an SVG exploit. Is this it?
What does this mean for Debian users? We are still on Firefox 45 thanks to "muh stabiliteh".
Should I migrate to Testing? Stable is comfy AF. ;-;
Just because you're using an old stable version doesn't mean it isn't getting security updates:
en.wikipedia.org
Most recent security update for Firefox 45 was on November 15th.
are pedos really dumb enough to browse a cp site with javascript enabled and on windows in current year?
Haha but let's set NoScript to blacklist mode in the TBB because using whitelists is too hard X-DD
Remember to never use Firefox with Tor manually because TBB is preconfigured and you might make a mistake with your config :-DDDDD
t. Tor developers
Do we need anymore proof that the Tor team is either compromised or dangerously incompetent? How the everloving fuck am I supposed to trust these idiots?
Yes, they are. The average pedo knows as much about OPSEC as the average idiot, i.e. nothing. They see "use this for Instant Security™®" and care no further.
Most people are dumb.
Are people really dumb enough to browse porn with javascript enabled and on windows in current year?
I would think that is how most people do, it's just that what most people are attracted to won't get them arrested for watch porn of it.
The idea is that your average idiot will stop using tor browser when nothing works properly and will be in a worse situation than using tor browser with only some of the protections.
lots of people using tor is required for it to work.
Are you seriously telling me that somebody who is too dumb for NoScript will even consider TBB? A lot of sites on the web already don't work properly over Tor because you get Cloudflare and captchas up the ass, so it's not like everything is smooth sailing with JS either.
Even then, they could at least tell their users that the "pre-configured" browser isn't configured for proper security. Afaik the only hint in this general direction is "you need to change your browsing habits to be fully secure".
The Tor developers use Noscript because it provides additional protection against XSS attacks and others. When you first start up the browser, there is a popup bar that directs you to the security slider. Once there, the various settings/tradeoffs are explained clearly.
Have you tried it in the past couple years, or just bitched about it?
If you block too much javascript people would stop using it. You are free to change the configuration, I don't see the probölem. The Tor people did a pretty good job.