New Release: Tor Browser 8.5.2

by boklm | June 19, 2019

Tor Browser 8.5.2 is now available from the Tor Browser Download page and also from our distribution directory.

This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.

Users of the safer and safest security levels were not affected by this security issue.

Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings.

The full changelog since Tor Browser 8.5.1 is:

  • All platforms
    • Pick up fix for Mozilla's bug 1544386
    • Update NoScript to 10.6.3
Tags
tor browser
tbb
tbb-8.5

In a technical level Tor Project can't do anything, but on a PR level, it can and should. Tor Project could easily approach organizations/corporations like NVidia and explain blocking Tor Users is bad and they should allow it. Of course having other people also contacting and requesting the same is better, but Tor Project can't put itself out of the matter.

Mateus

Anonymous (not verified) said:

June 19, 2019

Permalink

The vulnerability exploits JavaScript, so why would `safer` not be affected if it enables JavaScript on HTTPS websites? Does the bug only work if JIT is enabled or something?

Not to say "I told you so", but can I jump in here to say "I told you so"? Not that I was saying anything you didn't already know. To wit: a strong case can be made for making "safest" the default security level and advising users to drop down as needed (choosing new identity each time they change the security level, a habit which should solve the problem that users might easily forget that security level changes affect all open tabs). In this case, at least one of the two critical vulns would have been prevented from affecting most users if this had been the default prior to this latest attack on FF (and TB).

An obvious compromise would be to make the default "safer". It seems Tor Project believes even this default would have prevented most Tor users from becoming easy victims of these FF zero-squared-day exploiting attacks.

Updating the Firefox version number requires that the Firefox langpacks corresponding to this version are available to start building. Taking the patch without updating the Firefox version number allows us to start building earlier.

Mateus

justaname (not verified) said:

June 20, 2019

Permalink

After doing the last Tor update Avast blocked the Firefox.exe telling me it is infected with IPD:Generic ?

anyone else experiencing this?

Mateus

Beatrix Willius (not verified) said:

June 20, 2019

Permalink

Couldn't start the latest version on beta 2 of macOS Catalina. There is an error that "updater.app is from an unidentified developer". I was not able to get the usual dialog to get an exemption by starting updater.app on it's own. After moving "updater.app" to the trash Tor is now starting.

In the long run, a better solution might be to use Tails instead of the Mac OS installed on your machine. Tails is free open-source software from a sister project of Tor Project; tails.boum.org. It attempts to provide an "amnesiac" system which boots from a DVD (or USB stick), which means that Tails tries not to leave any hardware traces. Very useful if you are working on human rights issues or as a reporter or children's social worker or municipal employee or telecom engineer or nurse in any other job where you may need to carry sensitive information on a portable device. The general idea is to keep all the information on a LUKS encrypted data stick which you mount and use with Tails booted in off-line mode, and when you need to access the internet, you remove the data stick and reboot Tails in on-line mode. Takes getting used to but it is much more practical than might sound once you get into the rhythm.

Mateus

hack (not verified) said:

June 20, 2019

Permalink

Hi, speed and loading pages on the tour in my area is papin. Please solve the problem barely loading webpages.
 

Mateus

Anonymous (not verified) said:

June 20, 2019

Permalink

Please don't forget to update the alpha series ASAP as well, especially after mfsa2019-19

I believe you meant 0.4.0.x While you wait for it to appear in the release repos, you can edit the suite in your deb line to say one of the "experimental" folder names here: https://deb.torproject.org/torproject.org/dists/

Example for Debian testing (Buster as of this date):
deb <a href="https://deb.torproject.org/torproject.org" rel="nofollow">https://deb.torproject.org/torproject.org</a> tor-experimental-0.4.0.x-buster main

Peter Palfrader manages Tor Project's Debian packages.

Mateus

Anonymous (not verified) said:

June 20, 2019

Permalink

Why is noscript no longer accesible via the address bar? This was far easier to click to temp allow certain domains. I cannot find any other way to see the list of domains to block or unblock each webpage loaded.
Have to manually type the url/domain by going to addons -> no script preferences

Ok thanks. Very easy to do. Overlooked it because there's hardly any space to right click on the toolbar in firefox and there appears to be no "customize" option in "preferences".

For any one else who needs to know how to add the addon widgets back in the toolbar:
https://trac.torproject.org/projects/tor/ticket/30600

It can manually be re-added by right-clicking the toolbar, selecting "Customize..." and dragging the NoScript icon back to the toolbar.