SHARE

tor 7.0 released

A zero-day vulnerability for Tor browser was revealed yesterday on Twitter by Zerodium — a company that buys and sells exploits in software.

Zerodium published the details of the vulnerability which was present in the Firefox extension NoScript (built-in to the Tor browser), which prevents web pages from executing JavaScript, Flash, or Silverlight.

Even though NoScript is supposed to block all JavaScript at its “safest” security level, but there is a backdoor that can be exploited by attackers to suppress NoScript and run malicious codes anyway.

However, this bug can be exploited in Tor Browser 7.x only and the recently released Tor Browser 8.x is unaffected by this bug.

The reason behind it is the change of Tor’s codebase from the older Firefox core to the new Firefox Quantum platform. The new add-on API’s in it protects version 8 from this vulnerability.

Besides the NoScript add-on was rewritten last year to make it compatible to the new Firefox Quantum platform. This is why the zero-day exploit in question does not work on the new Tor Browser 8.x series.

Following the revelation by Zerodim, a latest NoScript “Classic” version 5.1.8.7 has been released by the company to stop the zero-day’s exploitation vector.

Meanwhile, Tor Project has issued an official statement to ZDNet:

“It is a bug in NoScript and not a zero-day exploit of Tor Browser that circumvents its privacy protections. For bypassing Tor, a real browser exploit would still be needed.”

Nevertheless, it is advisable for Tor users to either install the NoScript update or switch to Tor Browser 8.x for better security.

Also Read: Tesla Model S Can Be Hacked In Seconds With This Raspberry Pi-powered Equipment
SOURCEZDNet
SHARE
An easygoing person with a knack for writing. Loves to laze around and binge-watch TV series. Best way to catch her attention? Show her a meme she hasn't seen!