[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Javascript exploit
On Wed, Nov 30, 2016 at 12:08:00PM +0000, Georg Koppen wrote:
> FWIW: We plan to release 6.0.7 with the patch Mozilla developed in a
> couple of hours. Updates to the alpha and hardened series will we
> provided as well thereafter.
Update:
* The blog post about the 6.0.7 Tor Browser update will go up any
moment. I see that the Tor Browser team has already put the packages in
https://dist.torproject.org/torbrowser/6.0.7/
* It looks like the vulnerability was in Firefox's SVG animation, so the
exploit does not work unless you have both svg and javascript enabled.
The "high" setting of Tor Browser's security slider disables both of
these pieces of the browser.
* It looks like the exploit code went up on pastebin on Monday morning,
and Mozilla worked on a patch yesterday, and updates to Firefox and
Tor Browser and Tails are coming out today. The exploit only worked on
Windows, but the vulnerability exists for Windows, OS X, and Linux.
In the meantime, if you slide your security slider to high, you won't
be vulnerable to this issue.
--Roger
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk