The Tor Project has released a new version of the Tor Browser, v.8.5.2, that resolves a critical vulnerability found in Mozilla Firefox which is being actively abused in the wild.
According to the Tor Browser 8.5.2 release notes, the latest version of the anonymizing browser -- popular with those concerned about personal privacy and censorship -- includes a fix for CVE-2019-11707, a critical type confusion vulnerability caused by errors in the Array.pop component of Firefox.
If exploited, this can lead to browser crashes, Mozilla says.
Samuel Groß, a cybersecurity researcher with Google Project Zero and Coinbase Security, was credited with the discovery of the vulnerability.
Speaking to ZDNet, Groß said that in addition to a crash, it is possible that the bug could be used for the remote execution of code -- with a sandbox escape caveat -- as well as cross-site scripting (XSS) attacks.
Users of the safer and safest security levels in Tor are not affected.
In addition to resolving this serious security issue, the Tor Project has also updated NoScript to 10.6.3 to patch several issues including browser freezes and the accidental blockage of MP4 videos.
A delay in accessing Tor's Android token means that the Android 8.5.2 version of the Tor Browser has not yet been released and is not expected to land until the weekend. While the mobile version of Tor will receive the same patch, for now, it is recommended that Android users shift over to safe or safest security levels in order to mitigate the risk of the active exploit.
Android users can do so by navigating to the menu on the right of the URL bar and selecting "Security Settings."
The full changelog can be found here.
In related news, on Wednesday, Oracle released an out-of-bounds patch to resolve a zero-day vulnerability present in WebLogic server software.
The vulnerability, CVE-2019-2729, was reported by Chinese cybersecurity researchers less than a week ago. If exploited, cyberattackers are able to utilize the zero-day security flaw to hijack user systems and run arbitrary code.
Previous and related coverage
- CIA camps out in anonymized Tor network
- Dark web crackdown: Germans want to criminalize anyone providing a platform
- Mozilla offers research grant for a way to embed Tor inside Firefox
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0