The Tor Project has issued a critical security advisory telling users of the onion router network to stop using Windows and switch to "live" systems if they want to remain anonymous online. The warning comes on the heels of a recently discovered attack that exploited a vulnerability on the Windows build of Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.
The malicious code in question doesn't download any executables to a victims' computer or tries to steal any login data. Rather, it uses Javascript to collect the hostname and MAC address of a person's computer, exactly the exact kind of data that Tor users are hoping to keep private while surfing the Internet.
Interestingly, after reverse engineering the code, researcher Vlad Tsyrklevich found that the identifying information was being sent to a server in Washington D.C., leading him to conclude that the FBI or another law enforcement agency is behind the attack. And while the malware may have played an important role taking down one of the largest child porn rings on the planet, it's also capable of identifying other people using Tor.
The latter is particularly prevalent among journalists as well as civil and human rights activists working in politically unstable regions of the world, though there are many other legitimate uses for it too.
People using Linux and OS X were not affected in this case, but that doesn't mean they couldn't be targeted in the future. Aside from recommending live-CD versions of Linux and OS X as alternatives, the advisory also asks users to update to the latest Tor browser bundle, and consider disabling Javascript altogether. Disabling JavaScript will reduce your vulnerability to similar attacks, but can also make some websites unusable.