[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Firefox vs. Tor Browser Bundle release cycles



> Hello,
>
> Firefox ESR 17.0.11 indeed turns out (somewhat confusingly) to be 
> equivalent to Firefox ESR 24.1.1, and the TBB based on ESR 17.0.11 was 
> released only four days after Mozilla's updates, which frankly deserves 
> praise. TBB's latest code is only one release behind Mozilla's on
> security 
> patches. 
>
>
> ESR17 has hit end of life at Mozilla and wonâ??t be receiving any more
> security updates. There was no 17.0.12 released yesterday, for example. In
> order for TBB to be current for recent security updates, it needs to be
> off of the ESR24 branch.
>
>
>
> That said, outside of the advisories, the bugs for a given release of
> Firefox are not opened to the public for a minimum of six weeks (one
> release cycle) following a release and sometimes a bit more as to avoid
> any self-zero day events.
>
An adversary could potentially dig through current Firefox release code,
diff it against relevant portions of the code base used to build the Tor
Browser Bundle, and then infer potentially exploitable vulnerabilities
that TBB users might also be vulnerable to.

Adversaries seeking to exploit TBB users might find that to be
significantly easier than finding and exploiting a previously-undisclosed
zero-day Firefox vulnerability--especially since it's reasonable to assume
that the vast majority of TBB users will be vulnerable to security
problems patched in the latest Firefox releases but not yet incorporated
into the latest TBB release.

>
>
> So I was wrong about precisely how far TBB is behind the latest ESR 
> release on security patches, but like I said before, at some point the 
> latest TBB is either shipping known-vulnerable Firefox code or it's not. 
> From the visual at the bottom of 
> http://en.wikipedia.org/wiki/Firefox_release_history, it looks like 
> Firefox ESR 17.0.11 included security patches from Firefox ESR 24.1.1,
> so 
> my understanding is that TBB is at least potentially vulnerable to the 
> known, patched vulnerabilities in the list above. 
>
>
> No, ESR 17.0.11 included some ESR 24.1.1 patches. There is not a 1:1
> mapping. The codebase is different and the same fixes are not always
> applied to the older codebase, either due to lack of defect but also
> sometimes due to overall code changes that make it difficult or dangerous
> to apply the patches.
>
It's still generally true that the Firefox code shipped with TBB is
potentially vulnerable to "easier" attacks whenever your team (at Mozilla)
has already released security updates that have not yet been incorporated
into TBB.

>
> -- 
> Al Billings
> http://makehacklearn.org
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk