Zero-Day Tor Browser Exploit Bypassed NoScript to Execute Malicious Code

Zerodium unveiled in a tweet a Tor Browser 7.x zero-day exploit which circumvented NoScript's 'Safest' security level to run malicious code inside the browser.

Tor Browser is a modified version of Mozilla's Firefox ESR which bundles the NoScript and HTTPS Everywhere extensions, together with an installation of the Tor network accessible via the TorButton, TorLauncher, and Tor proxy.

In theory, the browser allows its users to boost their privacy and avoid man-in-the-middle (MITM) attacks while browsing the web, and is a recommended solution by most anti-surveillance advocates.

The reason behind this zero-day attack vector not being usable on the new Tor Browser release, as explained by Giorgio Maone, NoScript's developer, is that the new version has moved to the new Firefox Quantum which also comes with different, new add-on APIs.

Moreover, the newest NoScript versions are also developed to work... (read more)

from Softpedia News / Global https://ift.tt/2CDLdHJ