The Tor Project released a patch for a vulnerability that leaks the real IP addresses of macOS and Linux users of its Tor Browser. The patch was issued late Friday and fixes a vulnerability found in Tor Browser version 7.0.8. The patch is in an upgrade to Tor Browser 7.0.9.
Windows users running Tor Browser 7.0.8 are not affected.
“Due to a Firefox bug in handling ‘file://’ URLs, it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” according to a post by Tor Project on Friday.
The post said Tails users and sandboxed-tor-browsers are also unaffected by the bug.
It is unclear if prior versions of the Tor Browser are also impacted or if it’s just version 7.0.8.
Filippo Cavallarin, CEO of We Are Segment, is credited for discovering the vulnerability and notifying Tor Project on Oct. 26. The Tor Project team said it created a workaround with the help of the Mozilla engineering team the following day.
“We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild,” the team said.
In addition to the Tor Browser 7.0.9 patch, the Tor team said it is preparing updated macOS and Linux bundles for its alpha series browser, expected Monday.
Submitted by: Arnfried Walbrecht