[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Javascript exploit

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Javascript exploit
From: Roger Dingledine <arma@xxxxxxx>
Date: Wed, 30 Nov 2016 14:28:52 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 30 Nov 2016 14:29:22 -0500
In-reply-to: <f1e0a3ef-e905-4bd9-9de1-f42e90afa262@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <d884a9a86b2ca3df24d7e796da2999a6.webmail@localhost> <20161129224326.GE10158@moria.seul.org> <f1e0a3ef-e905-4bd9-9de1-f42e90afa262@torproject.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-12-10)

On Wed, Nov 30, 2016 at 12:08:00PM +0000, Georg Koppen wrote:
> FWIW: We plan to release 6.0.7 with the patch Mozilla developed in a
> couple of hours. Updates to the alpha and hardened series will we
> provided as well thereafter.

Update:

* The blog post about the 6.0.7 Tor Browser update will go up any
moment. I see that the Tor Browser team has already put the packages in
https://dist.torproject.org/torbrowser/6.0.7/

* It looks like the vulnerability was in Firefox's SVG animation, so the
exploit does not work unless you have both svg and javascript enabled.
The "high" setting of Tor Browser's security slider disables both of
these pieces of the browser.

* It looks like the exploit code went up on pastebin on Monday morning,
and Mozilla worked on a patch yesterday, and updates to Firefox and
Tor Browser and Tails are coming out today. The exploit only worked on
Windows, but the vulnerability exists for Windows, OS X, and Linux.

In the meantime, if you slide your security slider to high, you won't
be vulnerable to this issue.

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Javascript exploit
  - From: Roger Dingledine

References:
- [tor-talk] Javascript exploit
  - From: firstwatch
- Re: [tor-talk] Javascript exploit
  - From: Roger Dingledine
- Re: [tor-talk] Javascript exploit
  - From: Georg Koppen

Prev by Author: Re: [tor-talk] Javascript exploit
Next by Author: Re: [tor-talk] Will Quantum computing be the end of Tor and all Privacy?
Previous by thread: Re: [tor-talk] Javascript exploit
Next by thread: Re: [tor-talk] Javascript exploit
Index(es):
- Author
- Thread