The Tor Project has issued an emergency security bugfix release of Tor Browser, to prevent user IP address leakage due to a still unpatched Firefox bug.
About the vulnerability
The vulnerability was recently discovered by We Are Segment CEO Filippo Cavallarin, and dubbed TorMoil.
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,” the ethical hacking company explained, and said that they will refrain from disclosing the exploit and more details about the flaw until a proper fix is put in place.
The fix included in the aforementioned versions of Tor Browser for macOS and Linux is a temporary workaround.
“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes,” Tor Browser developers noted.
This fix is just a temporary workaround, as it breaks some of the browser’s functionality. As the developers noted, “navigating file:// URLs in the browser might not work as expected anymore,” and users will have to drag the link into the URL bar or on a tab to make it work.
They say that they are not aware of this vulnerability being exploited in the wild, but that doesn’t mean that it’s not. Linux and macOS users should upgrade to version 7.0.9 or 7.5a7.
The Windows version of Tor Browser is not affected by the vulnerability, nor is the Sandboxed Tor Browser or Tails (a Linux distribution that forces all outgoing connections through Tor).
Other news from the Tor Project
The Tor Project has presented the next-generation of its onion service system last week, which will, in due time, supplant the legacy system entirely.
“The new system is a well needed improvement that fixes many shortcomings of the old design, and builds a solid foundation for future onion work,” the developers noted.
“On the cryptography side, we are looking at cutting-edge crypto algorithms and improved authentication schemes. On the protocol end, we redesigned the directory system to defend against info leaks and reduce the overall attack surface. Now, from an engineer’s perspective, the new protocol is way more extensible and features a cleaner codebase. And finally from the casual user’s PoV, the only thing that changes is that new onions are bigger, tastier and they now look like this: 7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion.”
More details about all the changes can be found here.