Certain users of the Tor Browser should implement a temporary fix for a vulnerability that can potentially leak their real IP addresses.
On 3 November, Tor Browser 7.0.9 rolled out to macOS and Linux users. Included in the updated version is a fix for an issue that affects Tor Browser 7.0.8 on those two operating systems. Windows users aren’t affected by the issue and therefore need not upgrade. Tails users and users of the sandboxed Tor Browser are also safe from the bug.
Tor initially received word about the vulnerability on 26 October from Filippo Cavallarin, CEO of We Are Segment. Researchers at the Italian digital security and ethical hacking company describe how the flaw dubbed “TorMoil” works:
“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.”
Upon learning of the flaw, Tor worked with Mozilla to develop a fix. Their efforts produced a workaround that Tor’s researchers admit only partially addresses a fix. They came up with a more substantive patch on 31 October, which went live on 3 November.
At this time, it’s unclear if the vulnerability applies to earlier versions than Tor Browser 7.0.8 for macOS and Linux. It’s also unknown why Tor waited three days to release its additional fix. What is clear, however, is that a final fix is still needed.
Tor’s researchers say they’re working on one:
“The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.”
Users of the macOS and Linux bundles for Tor’s alpha series might receive updates on 6 November. While they await those fixes, Tor recommends they use an updated version of the stable bundle.
News of this vulnerability comes several months after the Tor Project publicly unveiled its vulnerability research framework, which is one of The State of Security‘s essential bug bounty programs for 2017. To learn about the other programs, please click here.