"Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser."Upon learning of the flaw, Tor worked with Mozilla to develop a fix. Their efforts produced a workaround that Tor's researchers admit only partially addresses a fix. They came up with a more substantive patch on 31 October, which went live on 3 November.
"The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136."Users of the macOS and Linux bundles for Tor's alpha series might receive updates on 6 November. While they await those fixes, Tor recommends they use an updated version of the stable bundle. News of this vulnerability comes several months after the Tor Project publicly unveiled its vulnerability research framework, which is one of The State of Security's essential bug bounty programs for 2017. To learn about the other programs, please click here.