Security issue discovered in TOR client - Update
In an analysis of the TOR source code, software developer Andrey Karpov found that the anonymisation software uses a function called
memset() to delete cache data, which is not supported by all compilers. In some cases, that can cause the TOR client to leave confidential data like passwords in the system memory when it is closed.
memset() function is problematic because it is automatically deleted when TOR is optimised for speed with a compiler like the one in Microsoft Visual Studio 2010. Once that happens, the data remains in system memory, where it can be read by malicious programs.
The TOR Project allows users to anonymise their identity by sending their traffic over a distributed network that aggregates and mixes data from many different sources, thereby preventing third parties from finding and decoding data packets.
Update (9/11/2012): The error has now been corrected by the developers. The code now uses
OPENSSL_cleanse() function rather than the eliminatable
memset(), though the developers are looking for faster alternatives. Since the
-O2 flag was used in the Tor project's configuration files, it is possible that the issue exists in Tor binaries for Windows, Mac OS X and Linux in binaries earlier than version 2.2.39-5.