A set of critical zero-day vulnerabilities have been discovered in the popular Tor based Linux-based operating system, Tails, that could lead to attackers unmasking users.
Tails is a popular Linux-based operating system based off of the Tor Project built for anonymity, the operating system has even been named a favorite by NSA whistle blower Edward Snowden. The operating system has an abundance of privacy enhancing applications that are designed to keep users safe, one being that the main operating system has a strict firewall that requires a valid connection to the Tor network before it allows an established connection to the internet.
In recent news, the secure operating system was reported to have several critical zero-day vulnerabilities that could aid attackers or law enforcement agencies to de-anonymize users and perform remote code execution, according to researchers at Exodus Intelligence.
Exodus Intelligence tweeted on Monday that they had found several remote code execution vulnerabilities in the Tails operating system. Though the firm did not release any details on the flaws, they explained it could put user security at great risk.
In the newest update of Tails 1.1 released Tuesday, Exodus warned on Twitter that the latest version of the operating system still houses the identified zero-day vulnerabilities. The firm has not and stated they will not disclose details on the vulnerabilities until a patch is released, and noted they will release information on the zero-day attacks in a blog post next week.
Exodus Intelligence is known for identifying vulnerabilities in a number of products and selling them to clients which include U.S. agencies and DARPA. Luckily in this case, Exodus has chosen to disclose the Tails remote code execution exploit instead of selling it to the highest bidder.
Christopher Soghoian, a privacy advocate and principal technologist at the ACLU, is extremely critical on the sale of zero-day vulnerabilities and tweeted multiple times about Exodus Intelligence’s business model.
“Looks like Exodus Intel is looking for a piece of the law enforcement Tor/Tails malware-delivery market,” Soghoian said in one tweet.
Tails developers still claim that Exodus has not briefed them on the vulnerabilities, stating:
“We were not contacted by Exodus Intel prior to their tweet. In fact, a more irritated version of this text was ready when we finally received an email from them. They informed us that they would provide us with a report within a week.”
The company assured users it will provide extra features to further enhance the security of the operating system.
“Being fully aware of this kind of threat, we’re continuously working on improving Tails’ security in depth. Among other tasks, we’re working on a tight integration of AppArmor in Tails, kernel and web browser hardening as well as sandboxing, just to name a few examples.” developers said.
Just earlier today we discovered that the Tor Project had a set of vulnerabilities that could too de-anonymize users. This was found in Tor Network nodes, developers were also not briefed before researchers chose to disclose that vulnerabilities existed.