Tor Browser 8.5.2 fixes Firefox zero-day. Update it now!

Developers at the Tor Project have released the Tor Browser 8.5.2 to address the recently fixed CVE-2019-11707 zero-day flaw in Mozilla Firefox.

Yesterday I reported the news of a critical zero-day in Firefox that was addressed by Mozilla with a new release. The vulnerability, tracked as CVE-2019-11707, is a type confusion flaw in Array.pop. Mozilla has addressed it with the release of Firefox 67.0.3 and Firefox ESR 60.7.1.

The flaw was reported by Coinbase Security and Samuel Groß of Google Project Zero team. Samuel Groß explained that he reported the bug to Mozilla on April 15, 2019.

The researcher explained that the vulnerability could be used for remote code execution if chained with a separate sandbox escape issue.

Developers at the Tor Project have released the Tor Browser 8.5.2 to address the CVE-2019-11707 vulnerability too. It is very important for Tor users to use the updated version of the Tor Browser to protect their anonymity.

This vulnerability did not affect users running under the Safer or Safest security levels.

“This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.” reads the announcement of the Tor Project. “Users of the safer and safest security levels were not affected by this security issue.”

Users can manually check the availability of new updates by going to the Tor Browser menu -> Help -> About Tor Browser.

Mozilla confirmed that threat actors exploited the zero-day in targeted attacks in the wild, the organizations did not provide technical details of the issue.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a short alert for the vulnerability in Mozilla.

The Tor Browser 8.5.2 also includes an updated version of the NoScript addon (ver. 10.6.3.),

Bad news for Android users, the updates for the Android version of the Browser will not be available until the weekend, meantime Android users should use the browser with safer or safest security levels.

“As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend.” continues the announcemente.

The Tor Browser 8.5.2 can be downloaded from the Tor Browser download page and from the distribution directory.

Below the full changelog for the new version:

Tor Browser 8.5.2 -- June 19 2019
 * All platforms
   * Pick up fix for Mozilla's bug 1544386
   * Update NoScript to 10.6.3
     * Bug 29904: NoScript blocks MP4 on higher security levels
     * Bug 30624+29043+29647: Prevent XSS protection from freezing the browser

Pierluigi Paganini

(SecurityAffairs – Tor, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On