TorMoil Vulnerability Leaks Real IP Address From Tor Browser Users; Security Update Released (bleepingcomputer.com) 21
Catalin Cimpanu, reporting for BleepingComputer: The Tor Project has released a security update for the Tor Browser on Mac and Linux to fix a vulnerability that leaks users' real IP addresses. The vulnerability was spotted by Filippo Cavallarin, CEO of We Are Segment, an Italian company specialized in cyber-security and ethical hacking. Cavallarin privately reported the issue -- which he codenamed TorMoil -- to the Tor Project last week. Tor Project developers worked with the Firefox team (Tor Browser is based on the Firefox browser) to release a fix. Today, the Tor team released version 7.0.9 to address the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users. Tor Browser on Windows is not affected.
Windows is not affected (Score:4, Interesting)
Re: (Score:2, Interesting)
Boy, is that a change for once.
Yes and I read the article hoping to understand why. Boy was I disappointed.
Is there a good reason the article does not explain how the exploit works or exactly what the vulnerability was? It does admit that black-hats can easily determine this from reverse-engineering the patch. So really, what exactly is the justification for not disclosing the details to everyone else?
Re: (Score:2, Informative)
It's still too early to give a post-mortem for non-technical folks. The bug on Bugzilla will be opened when a proper fix is given, and right now only blackhats will want to know the technical details. Until users have updated to a more secure fix than the current work-around, full transparency isn't a good idea.
Re: (Score:2)
and right now only blackhats will want to know the technical details.
That is so not true. In technical detail, we call this a big fat lie.
I understand why the details are not disclosed, but I certainly don't agree with the pareto rationale of better protecting the large number of non-technical users at the expense of the security minded who can use the information in a productive way.
Re: (Score:1)
There is basically nothing stopping any security-minded folks who actually *can* use early information in a productive way from accessing it. Whitehats and other security folks who can actually write patches and resolve issues can easily ask for and gain access to these bugs. So this really is turned around on the people who think like you do: what can you really accomplish with the data that makes it worth the risk? Just because you know a bit about security issues and have a six-digit Slashdot ID doesn't
Re: (Score:2)
The reason is to give users a few days to patch.
Switch to I2P if you are so worried ;-) (Score:3)
But, on a more serious note, as the summary said, Tor browser on windows is not affected. But, as the summary did not say, Tor Browser on TAILS is also not affected.
So, grab an ISO for TAILS 3.12, liveboot it in a VM and keep Tor Browsing away...
Re: (Score:1)
Re: (Score:3)
That gives a good clue:
https://ourcodeworld.com/artic... [ourcodeworld.com]
Be careful with tor.... (Score:1)
People should be careful if depending on this for anything safety critical.
The German spy agency BND developed a system to monitor the Tor network and warned federal agencies that its anonymity is ineffective“. [netzpolitik.org]
There are lots of others reasons to treat it with caution. Won't dig up all the links, but this is a real high priority target for security agenies.
Something didn't work on a mac? (Score:2)