FYI -------- Forwarded Message -------- Subject: Re: [tor-talk] Javascript exploit Date: Wed, 30 Nov 2016 14:28:52 -0500 From: Roger Dingledine <arma@mit.edu> Reply-To: tor-talk@lists.torproject.org To: tor-talk@lists.torproject.org On Wed, Nov 30, 2016 at 12:08:00PM +0000, Georg Koppen wrote:
FWIW: We plan to release 6.0.7 with the patch Mozilla developed in a couple of hours. Updates to the alpha and hardened series will we provided as well thereafter.
Update: * The blog post about the 6.0.7 Tor Browser update will go up any moment. I see that the Tor Browser team has already put the packages in https://dist.torproject.org/torbrowser/6.0.7/ * It looks like the vulnerability was in Firefox's SVG animation, so the exploit does not work unless you have both svg and javascript enabled. The "high" setting of Tor Browser's security slider disables both of these pieces of the browser. * It looks like the exploit code went up on pastebin on Monday morning, and Mozilla worked on a patch yesterday, and updates to Firefox and Tor Browser and Tails are coming out today. The exploit only worked on Windows, but the vulnerability exists for Windows, OS X, and Linux. In the meantime, if you slide your security slider to high, you won't be vulnerable to this issue. --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk