Fwd: Re: [tor-talk] Javascript exploit
Mirimir
mirimir at riseup.net
Wed Nov 30 13:23:28 PST 2016
FYI
-------- Forwarded Message --------
Subject: Re: [tor-talk] Javascript exploit
Date: Wed, 30 Nov 2016 14:28:52 -0500
From: Roger Dingledine <arma at mit.edu>
Reply-To: tor-talk at lists.torproject.org
To: tor-talk at lists.torproject.org
On Wed, Nov 30, 2016 at 12:08:00PM +0000, Georg Koppen wrote:
> FWIW: We plan to release 6.0.7 with the patch Mozilla developed in a
> couple of hours. Updates to the alpha and hardened series will we
> provided as well thereafter.
Update:
* The blog post about the 6.0.7 Tor Browser update will go up any
moment. I see that the Tor Browser team has already put the packages in
https://dist.torproject.org/torbrowser/6.0.7/
* It looks like the vulnerability was in Firefox's SVG animation, so the
exploit does not work unless you have both svg and javascript enabled.
The "high" setting of Tor Browser's security slider disables both of
these pieces of the browser.
* It looks like the exploit code went up on pastebin on Monday morning,
and Mozilla worked on a patch yesterday, and updates to Firefox and
Tor Browser and Tails are coming out today. The exploit only worked on
Windows, but the vulnerability exists for Windows, OS X, and Linux.
In the meantime, if you slide your security slider to high, you won't
be vulnerable to this issue.
--Roger
--
tor-talk mailing list - tor-talk at lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the cypherpunks
mailing list