File: b5e2eeeb26af2bc296c8432bc9ae190deb499e83a6d7085190864a77344d792b.png (dl) (4.50 KiB)
/g/ - Technology
install openbsd
[Make a Post]Just disable your pajeetscript dumb fuck. That's the whole point of nanochan.
>>2700
It's not a real exploit. It's a way of encoding data in images, which can be used as a vector for other exploits. The giveaway is that no browsers or versions are mentioned anywhere, implying that the "exploit" is an example of everything working as intended
>is this even patchable
insofar as it's an exploit, it piggybacks off of existing exploits. Patch those and you patch this. Tor browser/modern firefox/chrome/etc. should already be patched against known vulns. But since the attack relies on javashit, you can protect against future exploits by disabling javascript, just like you knew you should.
Reminds me how some shitposters from Washington University encoded malware into DNA that could take over the lab equipment.
http://archivecaslytosk.onion/Y0mWH
>>2701
>>2702
>>2703
I always disable javascript, but the problems is that the browser supports it at all.
https://news.softpedia.com/news/zero-day-tor-browser-exploit-bypassed-noscript-to-execute-malicious-code-522604.shtml
>Zerodium unveiled in a tweet a Tor Browser 7.x zero-day exploit which circumvented NoScript's 'Safest' security level to run malicious code inside the browser.
Why should we leave our security to a third party extension.
There should be a fork of tor browser bundle with a version of firefox that does not support javascript at all.
In fact just have a hardcoded version that is equivalent to the "safest" setting.
>>2703
What? How the fuck is that possible.
Archive.is supports TLS + the Hidden service now by the way, for what it's worth:
https://archivecaslytosk.onion/Y0mWH
>>2704
>NoScript
That's bloated as crap, I use uBlock Origin which also supports disabling Javascript by changing the HTTP headers
>disabling Javascript by changing the HTTP headers
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
>>2708
https://www.netsparker.com/blog/web-security/noscript-vulnerability-tor-browser/
>The NoScript Safest extension blocks all JavaScript code in Tor Browser versions 7.x. However, it can be bypassed with a simple trick in the HTTP response, allowing the JavaScript files to run. The attack works when the attacker adds the following HTTP header in the response:
>Content-Type: text/html;/json
>It seems like the code responsible for blocking scripts from loading actually parses the Content-Type header incorrectly. When the code encounters the /json string at the end of the header, it believes that the context can't execute scripts anyway. Therefore it does not see the need to disable the script engine on that page.
So essentially NoScript assumed a reason not to run.
It's fixed now but should I just switch to uBlock?
>>2709
>It's fixed now but should I just switch to uBlock?
It's up to you, I simply block all third-party resources which kinda makes me more unique but I really don't want to connect to Google or whatever other big analytics company.
If you just want to block Javascript, uBlock Origin might not be the most obvious option but I don't know I really disliked NoScript seemed much too bloated for my liking, so I figured I simply use that instead of NoScript.
>thehackernews.com
gfo
[Catalog][Overboard][Update]
[Reply]11 replies
https://thehackernews.com/2015/06/Stegosploit-malware.html
>TLDR
>Malicious code or exploit is encoded inside the image’s pixels, which is then decoded using an HTML 5 Canvas element that allows for dynamic, scriptable rendering of images.
>The malicious code, dubbed IMAJS, is a combination of both image code as well as JavaScript hidden into a JPG or PNG image file. Shah hides the malicious code within the image’s pixels, and unless somebody zoom a lot into it, the image looks just fine from the outside.
>fucking javashit
Is this even patchable? It seems like 90% of the exploits in tor come from javascript.
Only solution I can think of would be if the browser reformated the images before displaying them. But that sounds resource intensive.