>Malicious code or exploit is encoded inside the image’s pixels, which is then decoded using an HTML 5 Canvas element that allows for dynamic, scriptable rendering of images.
>The malicious code, dubbed IMAJS, is a combination of both image code as well as JavaScript hidden into a JPG or PNG image file. Shah hides the malicious code within the image’s pixels, and unless somebody zoom a lot into it, the image looks just fine from the outside.
>fucking javashit
Is this even patchable? It seems like 90% of the exploits in tor come from javascript.
Only solution I can think of would be if the browser reformated the images before displaying them. But that sounds resource intensive.
>>2700 It's not a real exploit. It's a way of encoding data in images, which can be used as a vector for other exploits. The giveaway is that no browsers or versions are mentioned anywhere, implying that the "exploit" is an example of everything working as intended
>is this even patchable
insofar as it's an exploit, it piggybacks off of existing exploits. Patch those and you patch this. Tor browser/modern firefox/chrome/etc. should already be patched against known vulns. But since the attack relies on javashit, you can protect against future exploits by disabling javascript, just like you knew you should.
>Zerodium unveiled in a tweet a Tor Browser 7.x zero-day exploit which circumvented NoScript's 'Safest' security level to run malicious code inside the browser.
Why should we leave our security to a third party extension.
There should be a fork of tor browser bundle with a version of firefox that does not support javascript at all.
In fact just have a hardcoded version that is equivalent to the "safest" setting.
>The NoScript Safest extension blocks all JavaScript code in Tor Browser versions 7.x. However, it can be bypassed with a simple trick in the HTTP response, allowing the JavaScript files to run. The attack works when the attacker adds the following HTTP header in the response:
>Content-Type: text/html;/json
>It seems like the code responsible for blocking scripts from loading actually parses the Content-Type header incorrectly. When the code encounters the /json string at the end of the header, it believes that the context can't execute scripts anyway. Therefore it does not see the need to disable the script engine on that page.
So essentially NoScript assumed a reason not to run.
It's fixed now but should I just switch to uBlock?
>>2709 >It's fixed now but should I just switch to uBlock?
It's up to you, I simply block all third-party resources which kinda makes me more unique but I really don't want to connect to Google or whatever other big analytics company.
If you just want to block Javascript, uBlock Origin might not be the most obvious option but I don't know I really disliked NoScript seemed much too bloated for my liking, so I figured I simply use that instead of NoScript.
https://thehackernews.com/2015/06/Stegosploit-malware.html
>TLDR
>Malicious code or exploit is encoded inside the image’s pixels, which is then decoded using an HTML 5 Canvas element that allows for dynamic, scriptable rendering of images.
>The malicious code, dubbed IMAJS, is a combination of both image code as well as JavaScript hidden into a JPG or PNG image file. Shah hides the malicious code within the image’s pixels, and unless somebody zoom a lot into it, the image looks just fine from the outside.
>fucking javashit
Is this even patchable? It seems like 90% of the exploits in tor come from javascript.
Only solution I can think of would be if the browser reformated the images before displaying them. But that sounds resource intensive.