[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Torbutton 1.1.15-alpha released

Torbutton 1.1.15-alpha has been released at
https://torbutton.torproject.org/dev/. Those of you who installed
Torbutton 1.1.14 should also be able to fetch the latest version
now by simply clicking Find Updates in the addons window.

This release features a number of fixes for bugs discovered by Gregory
Fleischer. Greg discovered a way to unmask the Javascript hooks for
window.screen, window.history, window.Date and window.navigator. It is
technically possible to use an unmasked window.history object in
combination with an exploit for Firefox Bug 409737 to write Javascript
that waits for Tor to be disabled to connect to a site via your IP.

The Date unmasking unfortunately has not been fixed due to
idiosyncrasies with the way the Date class is implemented in the
Firefox Javascript interpreter. This means it is possible for a
malicious website or exit node to determine your timezone if they
perform Greg's attack to unmask the original Date implementation from
behind the hooks. 

It appears that the only way to fix this issue is to implement a
fix for either Firefox Bug 392274 or 419598.

Here is the complete ChangeLog for 1.1.15:
 * bugfix: Fix hook unmasking of window.screen, window.history,
   and window.navigator discovered by Greg Fleischer. window.Date 
   unmasking is still unfixed. window.history unmasking represents
   potential IP disclosure due to Firefox Bug 409737.
 * bugfix: Fix view-source extension disclosure bug found by Greg 
 * bugfix: Fix javascript and about links. Found by Greg Fleischer.
 * new: Attempt to prevent window sizes from drifting during resize.

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpLQVtEwtvFf.pgp
Description: PGP signature