Tor Browser Issues Update for Critical System Takeover Flaw

Tor Browser has updated to version 8.5.2, to address a critical security flaw in Mozilla’s Firefox browser that is under active exploit in the wild.

The critical flaw (CVE-2019-11707) is a type confusion vulnerability in the Array.pop, which is an array method that is used in JavaScript objects in Firefox. The vulnerability, which was disclosed and patched earlier this week, enables cybercriminals to take full control of systems running the vulnerable Firefox versions.

The issue affects Tor, since, as its founders said back in 2016, Firefox is at the heart of the privacy-focused onion browser.

“If you’ve used Tor, you’ve probably used Tor Browser, and if you’ve used Tor Browser you’ve used Firefox,” they said in a posting. “By lines of code, Tor Browser is mostly Firefox — there are some modifications and some additions, but around 95 percent of the code in Tor Browser comes from Firefox.”

The Android release for Tor won’t be available until this weekend, the project said, because of team travel.

“In the meantime, Android users should use the safer or safest security levels,” Tor said in an update on Thursday. “The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings.”

Speedy updates are recommended given that the Firefox bug is being actively exploited in targeted attacks against Coinbase employees – and potentially other cryptocurrency organizations.

“On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,” Selena Deckelmann, senior director of Firefox Browser Engineering, told Threatpost. “In less than 24 hours, we released a fix for the exploit.”

Meanwhile, Tor also updated NoScript to 10.6.3, “fixing a few issues” – the update means that it no longer blocks MP4 on higher security levels, and it prevents cross-site scripting (XSS) protection from freezing the browser.