summaryrefslogtreecommitdiffstats
path: root/wiki/src/news/On_0days_exploits_and_disclosure.mdwn
blob: cb5970b590db2b4ac1259174075c45adea0d6109 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[[!meta title="On 0days, exploits and disclosure"]]
[[!meta date="Tue Jul 22 21:40:00 2014"]]

A [recent
tweet](https://twitter.com/ExodusIntel/status/491247299054428160) from
Exodus Intel (a company based in Austin, Texas) generated quite some
noise on the Internet:

> "We're happy to see that TAILS 1.1 is being released tomorrow.
> Our multiple RCE/de-anonymization zero-days are still effective. #tails #tor"

Tails ships a lot of software, from the Linux kernel to a fully
functional desktop, including a web browser and a lot of other
programs. Tails also adds a bit of custom software on top of this.

Security issues are discovered every month in a few of these programs.
Some people report such vulnerabilities, and then they get fixed: This
is the power of free and open source software. Others don't disclose
them, but run lucrative businesses by weaponizing and selling them
instead. This is not new and [comes as no
surprise](https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate).

We were not contacted by Exodus Intel prior to their tweet. In fact,
a more irritated version of this text was ready when we finally
received an email from them. They informed us that they would provide
us with a report within a week. We're told they won't disclose these
vulnerabilities publicly before we have corrected it, and Tails users
have had a chance to upgrade. We think that this is the right process
to responsibly disclose vulnerabilities, and we're really looking
forward to read this report.

Being fully aware of this kind of threat, we're continously working on
improving Tails' security in depth. Among other tasks, we're working
on a [tight
integration](https://labs.riseup.net/code/projects/tails/search?q=apparmor)
of AppArmor in Tails, [[!tails_ticket desc="kernel" 7639]] and
[[!tails_ticket desc="web browser hardening" 5802]] as well as
[[!tails_ticket desc="sandboxing" 6081]], just to name a few examples.

We are happy about every contribution which protects our users further
from de-anonymization and helps them to protect their private data,
investigations, and their lives. If you are a security researcher,
please audit Tails, Debian, Tor or any other piece of software we
ship. To report or discuss vulnerabilities you discover, please get in
touch with us by sending email to <tails@boum.org>.

Anybody wanting to contribute to Tails to help defend privacy,
[[please join us|contribute]]!