A new version of the Tor Browser, v.8.5.2, was released by the Tor Project which patches a critical vulnerability found in Mozilla Firefox that is being actively exploited in the wild. The update is available on Tor’s download page and distribution directory.
As per the Tor Browser 8.5.2 release notes, the latest version of the Tor browser includes a fix for CVE-2019-11707 which is a critical type confusion vulnerability caused by errors in the Array.pop component of Firefox. These can lead to browser crashes on successful exploitation.
The security researcher with Google Project Zero and Coinbase Security, Samuel Groß, has found the vulnerability which could be used for the remote execution of code combined with a sandbox escape caveat as well as cross-site scripting (XSS) attacks.
However, users of the safer and safest security levels in Tor are not affected by the flaw.
Besides resolving this serious security issue, the Tor Project has also updated NoScript to 10.6.3 to patch several issues including browser freezes and the accidental blockage of MP4 videos.
A delay in accessing Tor’s Android token means that the Android 8.5.2 version of the Tor Browser has not yet been released and is not expected to be available by the weekend. The mobile version of Tor will receive the patch now but it is recommended that Android users shift over to safe or safest security levels in order to reduce the risk of the active exploit.
To do this, the Android users must navigate to the menu on the right of the URL bar and then select the “Security Settings.”