The Tor Project released an update late Friday to fix a vulnerability that leaks the real IP addresses of MacOS and Linux users of its Tor version 7.0.8 Browser. The patch is in an upgrade to Tor Browser 7.0.9.
The Tor browser is an open source project that helps you defend against traffic analysis and ensures anonymity for it’s users. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes “visits to Web sites, online posts, instant messages, and other communication forms.”
The bug was reported to Tor Project on Thursday, October 26, by Filippo Cavallarin. A workaround was created with the help of Mozilla engineers on the next day which fixed the leak only partially. An additional fix on October 31 plugged all known security holes.
“This release features an important security update to Tor Browser for MacOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser” posted Tor Project on Friday.
Who is affected?
MacOS and Linux users of version 7.0.8 of the Tor Browser are affected by the vulnerability, and should upgrade immediately.
The Tor project alpha series browser 7.5a6 for MacOs and Linux users are also affected and should upgrade to alpha version 7.5a7.
Tails users and users of Tor’s sandboxed-tor-browsers are unaffected by the vulnerability. Windows users of both browsers are not affected.
As of Saturday, The Tor Project was not aware of this vulnerability being exploited in the wild.
Patch your applications
Don’t let hackers exploit this vulnerability. If you are using the Tor browser, update as soon as you can. If you are using the Tor project code as part of a larger application, the problem is a bit compounded.
Look for a Bill of Materials (BOM) that mentions the TOR project software. If a BOM is not available, chat with your developers to make sure there is no evidence of the vulnerable code in your applications. You may need to spend some time combing through your applications to eliminate any evidence of vulnerable code.
For companies that have a Software Composition Analysis solution, the process is much easier. An SCA tool will alert you to the new vulnerability and help you track and patch any vulnerable code in current and shipped code – in software packages, and all the way to code snippets. Close the risk window as soon as possible to keep your internal and external software secure.