The Tor project has released an emergency update for the Linux and Mac versions of the Tor Browser Bundle. Under certain circumstances, the two affected versions betray the real IP address of the users and thus ruin the intended anonymity. The Windows version of the Tor browser, the Tails distribution and the alpha-tested Tor browser with sandboxing should not be affected.
The error occurs when users invoke an address prefixed with file: // instead of using http: // or https: // as usual. If users call up such an address, a direct interaction between the operating system and the web server is triggered and the IP address is no longer anonymized. Whether the website needs to meet additional requirements for a successful attack is not clear from the blog post of the finder of the vulnerability , Filippo Cavallarin, the CEO of the company Segment. Normal browsing in the Tor Browser is not affected by the error.
javascript: void (0) Workaround can still cause problems
The Tor project has released a preliminary fix, which, however, can cause problems with file: // resources. For most users, however, this should be to get over. The current version for Mac and Linux is 7.0.9. Windows users can stay on version 7.0.8. There is currently no evidence of active exploit attacks.
On Monday, the 6th of November, a new version will appear in the Alpha-Channel, in order to patch the vulnerability in these versions as well. These versions are not intended for productive use anyway.
0 Comments