Yesterday I reported the news of a critical zero-day in Firefox that was addressed by Mozilla with a new release. The vulnerability, tracked as CVE-2019-11707, is a type confusion flaw in Array
The flaw was reported by Coinbase Security and Samuel Groß of Google Project Zero team. Samuel Groß explained that he reported the bug to Mozilla on April 15, 2019.
The researcher explained that the vulnerability could be used for remote code execution if chained with a separate sandbox escape issue.
Developers at the Tor Project have released the Tor Browser 8.5.2 to address the CVE-2019-11707 vulnerability too. It is very important for Tor users to use the updated version of the Tor Browser to protect their anonymity.
This vulnerability did not affect users running under the Safer or Safest security levels.
“This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.” reads the announcement of the Tor Project. “Users of the safer and safest security levels were not affected by this security issue.”
Users can manually check the availability of new updates by going to the Tor Browser menu -> Help -> About Tor Browser.
Mozilla confirmed that threat actors exploited the zero-day in targeted attacks in the wild, the organizations did not provide technical details of the issue.
The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a short alert for the vulnerability in Mozilla.
The Tor Browser 8.5.2 also includes an updated version of the NoScript addon (ver. 10.6.3.),
Bad news for Android users, the updates for the Android version of the Browser will not be available until the weekend, meantime Android users should use the browser with safer or safest security levels.
“As part of our team is currently traveling to an event, we are unable to access our Android
Below the full
Tor Browser 8.5.2 -- June 19 2019 * All platforms * Pick up fix for Mozilla's bug 1544386 * Update NoScript to 10.6.3 * Bug 29904: NoScript blocks MP4 on higher security levels * Bug 30624+29043+29647: Prevent XSS protection from freezing the browser
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.