An attack against Tor Browser users on Windows machines was discovered this Sunday, and there is speculation that the uncovered malware was used by a law enforcement agency to harvest the IP addresses of users of several hidden services hosted by Freedom Hosting. The malware exploits a serious JavaScript security vulnerability affecting Firefox and other products that share the same code base, including the Tor Browser.
If you are using software based on Firefox major version 21 or earlier, Thunderbird 17.06 or earlier, or SeaMonkey 2.18 or earlier, please update your software immediately. Tor Browser Bundle users who have not updated to the most recent version are also at risk, and so we've provided a screenshot tutorial for how to update the Tor Browser Bundle below.
Tor and the Tor Browser: Security and the Importance of Updating
Tor is a powerful anonymity tool that allows human rights activists, dissidents and whistleblowers to use web services anonymously to avoid harassment, imprisonment and in some cases death. Tor also allows users to circumvent several forms of surveillance and censorship. The Tor Browser is a modified version of Firefox that ships with the Tor Browser Bundle to provide users with an easy way to browse with Tor without any configuration required.
Given the importance of Tor to users around the world, the security of both Tor and the Tor Browser are absolutely critical. This type of attack cannot be narrowly focused on particular Tor or Tor Browser users suspected of breaking the law, and leaves vulnerable the multitude of other users worldwide who depend on these tools for anonymity. In this case, all users of older versions of the Tor Browser Bundle are potentially vulnerable and the issue requires immediate attention.
What Can Users Do?
Tor does not provide automatic security updates. Instead, the Tor Browser currently requires users to manually download and install the update of the Tor Browser Bundle. The Tor Project is working on a fix for this, and this attack highlights the importance of allowing users to auto-update. For now, if you are using an outdated version of the Tor Browser, you should update your Tor Browser Bundle software immediately. Here are detailed instructions for Windows users:
1. Open your current Tor browser, and determine what version of Firefox is running by clicking the "TorBrowser" button:
2. Click on "Help" -> "About TorBrowser" to determine your version. If it below 17.07, then you are vulnerable:
3. Click the TorButton icon and go to "Download Tor Browser Bundle Update":
4. You should be taken to the Tor Browser Bundle homepage, where you click to download the executable file:
5. Download this executable file. Click through the warning about launching the executable file:
6. Once the file is downloaded, extract the application either to the same directory where Tor exists or a new directory for this version:
7. Launch the "Start Tor Browser" executable from the same directory where you extracted the application and check the version to make sure that you're up to date.
If you see Firefox version 17.0.7 or greater, then you're up to date.
This particular attack appears to affect only Windows users who have not updated to the most recent version of the Tor Browser Bundle. Because of this and a variety of other reasons that make it challenging to use Windows securely, Tor advises that "switching away from Windows is probably a good security move." If moving to a different platform is not practical, it is especially important to keep up with software updates. The advisory also recommends that users concerned about their security consider disabling JavaScript and installing the Firefox add-on Request Policy, which allows you to control which origins are loaded from a given website.