Tor Browser 8.5.2 release patches critical Firefox vulnerability exploited in the wild

The release resolves a critical Mozilla Firefox vulnerability in active use.
Written by Charlie Osborne, Contributing Writer

The Tor Project has released a new version of the Tor Browser, v.8.5.2, that resolves a critical vulnerability found in Mozilla Firefox which is being actively abused in the wild.

The update is now available from Tor's download page and distribution directory.

According to the Tor Browser 8.5.2 release notes, the latest version of the anonymizing browser -- popular with those concerned about personal privacy and censorship -- includes a fix for CVE-2019-11707, a critical type confusion vulnerability caused by errors in the Array.pop component of Firefox.

If exploited, this can lead to browser crashes, Mozilla says.

See also: Today in thoughtcrime: UK bill makes clicking on 'terrorism' links worth a jail term

Samuel Groß, a cybersecurity researcher with Google Project Zero and Coinbase Security, was credited with the discovery of the vulnerability.

Speaking to ZDNet, Groß said that in addition to a crash, it is possible that the bug could be used for the remote execution of code -- with a sandbox escape caveat -- as well as cross-site scripting (XSS) attacks.

Users of the safer and safest security levels in Tor are not affected.

The 10 step guide to using Tor to protect your privacy

In addition to resolving this serious security issue, the Tor Project has also updated NoScript to 10.6.3 to patch several issues including browser freezes and the accidental blockage of MP4 videos.

CNET: As smart TVs become the only option, your privacy choices fizzle out

A delay in accessing Tor's Android token means that the Android 8.5.2 version of the Tor Browser has not yet been released and is not expected to land until the weekend. While the mobile version of Tor will receive the same patch, for now, it is recommended that Android users shift over to safe or safest security levels in order to mitigate the risk of the active exploit.

Android users can do so by navigating to the menu on the right of the URL bar and selecting "Security Settings."

TechRepublic: How AI-enhanced malware poses a threat to your organization

The full changelog can be found here.

In related news, on Wednesday, Oracle released an out-of-bounds patch to resolve a zero-day vulnerability present in WebLogic server software.

The vulnerability, CVE-2019-2729, was reported by Chinese cybersecurity researchers less than a week ago. If exploited, cyberattackers are able to utilize the zero-day security flaw to hijack user systems and run arbitrary code.   

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards