14 DAY TRIAL // Zerodium unveiled in a tweet a Tor Browser 7.x zero-day exploit which circumvented NoScript's 'Safest' security level to run malicious code inside the browser.
Tor Browser is a modified version of Mozilla's Firefox ESR which bundles the NoScript and HTTPS Everywhere extensions, together with an installation of the TOR network accessible via the TorButton, TorLauncher, and Tor proxy.
In theory, the browser allows its users to boost their privacy and avoid man-in-the-middle (MITM) attacks while browsing the web, and is a recommended solution by most anti-surveillance advocates.
The reason behind this zero-day attack vector not being usable on the new Tor Browser release, as explained by Giorgio Maone, NoScript's developer, is that the new version has moved to the new Firefox Quantum which also comes with different, new add-on APIs.
Moreover, the newest NoScript versions are also developed to work on the Quantum platform and use the newer add-on APIs, thus making it impervious to exploits developed to work with the previous Firefox web browser core.
This only one of multiple zero-day vectors acquired by Zerodium during a bug bounty
Zerodium's CEO Chaouki Bekra told ZDNet that "we've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements. This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers."
The timing is not exactly on point seeing that Tor Browser version 8.0 has been launched on September 3rd, but the question remains of how many other exploits Zerodium still holds on.
Bekra also stated that this zero-day was released publicly to spread awareness on the lack of proper auditing for components of highly trusted security solution like the Tor Browser, with millions of users to date.
To mitigate the issues arising from this zero-day exploit, we advise all users to update Tor Browser and NoScript to their latest versions, which are known not to be vulnerable.