If TBB leads want to run Firefox with JavaScript "default on", then Tor Browser Bundle needs to be messaged as insecure. Either that or turn on NoScript and inform people what bad shit can happen when their browser is interpreting arbitrary code in a not-so-sandboxed manner. TBB is not a solution against targeted deanonymization attacks.

This is neither the first nor is the last 0day in Firefox that will affect TBB.

IMO the best practical mitigation against these attacks is sandboxing with an amnesic system like Tails, as even as a VM it will leak a lot less information about the machine it is running on and requires burning both a Firefox 0day and a VM escape to get any real information outside of the real IP address of the user and some basic things out of /proc (although Tails may protect against the latter now). Also, as the whole VM goes away when it's closed, you're not getting persistence on that machine if you just pop the browser.

A 30 second glance at the source code makes it looks like this exploit pivots to attacker-controlled memory on the heap, and spawns a thread using kernel32.dll. As EMET has hardening against attacks like this, I am curious if this exploit works at all on EMET-enabled Windows systems.

splesjaz

VMs are all nice and that but if the exploit can compromise the TBB it's too late already, sandboxing needs to happen in the browser on Linux you can use namespaces + strict seccomp rules but don't know what one would use for Windows. First priority would be to sandbox the browser and work your way down if you want to sandbox more stuff. For Windows EMET can help to prevent certain exploits I guess but yea a browser that can access anything on the filesystem & system calls is badstuff.

micaksica

Working within an assumed breach scenario, the VM is defense in depth. Firefox has holes, and it will continue to be relatively easily exploitable as long as TBB allows for plugins and JavaScript by default. There is reticence from TBB team to disable JS by default even in the face of a few of these 0days, so you have to protect TBB users a level down from the browser and assume it'll be popped.

There are Windows "sandboxes" like Bromium, and as stated, IIRC EMET will stop the stack pivot here.

splesjaz

Last time I checked they were working on a TBB sandbox [1] Let's hope it will be there soon, subgraph has oz[2] and can be used with any program really then there is firejail[3] but these 2 are only on Linux available.

1: https://blog.torproject.org/blog/q-and-yawning-angel 2: https://github.com/subgraph/oz 3: https://github.com/netblue30/firejail