Important Update (June 21, 2019) ➤ The Tor Project announced on Friday the release of its latest update, Tor Browser 8.5.3, addressing a significant Firefox zero-day vulnerability identified earlier in the week. This update follows Mozilla’s recent patches for Firefox versions 67.0.3 and 60.7.1, which rectified a critical actively-exploited security flaw denoted by CVE-2019-11707. This flaw has the potential to grant attackers full remote control over affected systems.
The latest version of the Tor Browser not only resolves this critical security issue but also introduces an upgraded NoScript component, version 10.6.3, which addresses several known bugs. According to the Tor Project Team, users operating under the “safer” and “safest” security settings are not impacted by this vulnerability, underscoring the importance of selecting appropriate security levels.
Despite the timely release for desktop users, Android users have yet to receive an updated version of the Tor Browser. The Tor Project has advised this group to enable “safer” or “safest” settings as a precaution until the app can be patched. The change in security settings on Android can be made through the menu located to the right of the URL bar, according to Lead Automation Engineer Nicolas Vigier.
The recent vulnerability has broader implications; it could also facilitate universal cross-site scripting (UXSS) attacks, compromising the same-origin policy of web browsers. This means that malicious sites could potentially access and steal sensitive data from users.
Given that Tor is primarily utilized by users highly concerned with privacy, the urgency of installing the updated version cannot be overstated. The implications of such vulnerabilities are significant, particularly for those who rely upon anonymity tools for secure internet usage.
In summary, this incident highlights a critical vulnerability impacting users of both Firefox and Tor. Attention from businesses and privacy-minded individuals is warranted as the threat landscape evolves. Adopting best practices, including maintaining the latest software updates, remains crucial in minimizing risks associated with cybersecurity threats, aligning with MITRE ATT&CK tactics such as initial access and persistence strategies used by adversaries.
