New Release: Tor Browser 8.5.2

by boklm | June 19, 2019

Tor Browser 8.5.2 is now available from the Tor Browser Download page and also from our distribution directory.

This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.

Users of the safer and safest security levels were not affected by this security issue.

Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings.

The full changelog since Tor Browser 8.5.1 is:

  • All platforms
    • Pick up fix for Mozilla's bug 1544386
    • Update NoScript to 10.6.3
Tags
tor browser
tbb
tbb-8.5

In a technical level Tor Project can't do anything, but on a PR level, it can and should. Tor Project could easily approach organizations/corporations like NVidia and explain blocking Tor Users is bad and they should allow it. Of course having other people also contacting and requesting the same is better, but Tor Project can't put itself out of the matter.

Anonymous

Dave Bowman (not verified) said:

June 19, 2019

Permalink

Nice work!

The vulnerability exploits JavaScript, so why would `safer` not be affected if it enables JavaScript on HTTPS websites? Does the bug only work if JIT is enabled or something?

Yes, this bug involves JIT.

Type Inference part of JIT is always on and cannot be disabled (https://trac.torproject.org/projects/tor/ticket/21865). It has a long history of holes, see https://bugzilla.mozilla.org/show_bug.cgi?id=619415. So, the question is whether JS interpreter + TI are not vulnerable or just the PoC doesn't work on that config?

Looking at the explanation of the bug in https://bugzilla.mozilla.org/show_bug.cgi?id=1544386 again, I still think that we are good with just disabling JIT as we do on medium security.

Not to say "I told you so", but can I jump in here to say "I told you so"? Not that I was saying anything you didn't already know. To wit: a strong case can be made for making "safest" the default security level and advising users to drop down as needed (choosing new identity each time they change the security level, a habit which should solve the problem that users might easily forget that security level changes affect all open tabs). In this case, at least one of the two critical vulns would have been prevented from affecting most users if this had been the default prior to this latest attack on FF (and TB).

An obvious compromise would be to make the default "safer". It seems Tor Project believes even this default would have prevented most Tor users from becoming easy victims of these FF zero-squared-day exploiting attacks.

Link says "Access Denied" but vulnerability is already public nothing to keep secret here.

When will it be open to everyone?

I think Mozilla usually waits for a while before making tickets public, to make sure vulnerable versions are not around anymore.

Works like a charm, better and better each release ...

Pick up fix for Mozilla's bug 1544386

Why that instead of
* Update Firefox to 60.7.1esr
???

Updating the Firefox version number requires that the Firefox langpacks corresponding to this version are available to start building. Taking the patch without updating the Firefox version number allows us to start building earlier.

Are you saying that Mozilla has non-optimal chemspill release process or you always need to run faster than the train?
https://hacks.mozilla.org/2018/03/shipping-a-security-update-of-firefox…
Maybe, it's possible to workaround that with engineers?

Taking a patch without updating the Firefox version allows us to start a build as soon as the patch is available, we don't need an other workaround.

After doing the last Tor update Avast blocked the Firefox.exe telling me it is infected with IPD:Generic ?

anyone else experiencing this?

Windows Defender is a free and well embedded alternative to false postives reporting adware.

Update your virus definition files. Virus scanners take time to release updates that recognize new programs. Or you could whitelist the exe.

Couldn't start the latest version on beta 2 of macOS Catalina. There is an error that "updater.app is from an unidentified developer". I was not able to get the usual dialog to get an exemption by starting updater.app on it's own. After moving "updater.app" to the trash Tor is now starting.

Don't do that as you don't get updates anymore that way. See: https://blog.torproject.org/comment/282621#comment-282621 for a current workaround, even though that one is awkward.

In the long run, a better solution might be to use Tails instead of the Mac OS installed on your machine. Tails is free open-source software from a sister project of Tor Project; tails.boum.org. It attempts to provide an "amnesiac" system which boots from a DVD (or USB stick), which means that Tails tries not to leave any hardware traces. Very useful if you are working on human rights issues or as a reporter or children's social worker or municipal employee or telecom engineer or nurse in any other job where you may need to carry sensitive information on a portable device. The general idea is to keep all the information on a LUKS encrypted data stick which you mount and use with Tails booted in off-line mode, and when you need to access the internet, you remove the data stick and reboot Tails in on-line mode. Takes getting used to but it is much more practical than might sound once you get into the rhythm.

And what with Tor Browser on Android?

We'll ship an update as soon as we can, probably on the weekend as the blog post says.

Time to update again: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/

Yes, we're planning to publish a new release tomorrow.

i can't access reddit

Reddit is blocking exit nodes from Germany. The only thing you can do is to find new circuit.

Message reddit's administrators.
https://support.torproject.org/censorship/censorship-2/
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…
https://2019.www.torproject.org/docs/faq-abuse.html.en
https://ooni.torproject.org/

Always find the website's Contact Us page.

Please bring back the option to change the exit node without resetting all pages.

The option is still there. You have to click on the left of the URL bar, to see the circuit for the current site, then there is a button to change it.

or ctrl+shift-L

Click "New Circuit for this Site"

Hi, speed and loading pages on the tour in my area is papin. Please solve the problem barely loading webpages.
 

Yup, I am having the exact same problems. TOR keeps timing out

I'll test this browser. Thank you

Please don't forget to update the alpha series ASAP as well, especially after mfsa2019-19

Yes, as soon as 8.5.3 is out we'll push a new release for alpha users.

yay thanks

When deb packets for 4.0.5.x will appear in tor project debian repo?

I believe you meant 0.4.0.x While you wait for it to appear in the release repos, you can edit the suite in your deb line to say one of the "experimental" folder names here: https://deb.torproject.org/torproject.org/dists/

Example for Debian testing (Buster as of this date):
deb <a href="https://deb.torproject.org/torproject.org" rel="nofollow">https://deb.torproject.org/torproject.org</a> tor-experimental-0.4.0.x-buster main

Peter Palfrader manages Tor Project's Debian packages.

It looks like the blog didn't display the line correctly. Plaintext URL addresses in a "code" block are not supposed to be wrapped in plaintext HTML "a" tags.

Thank you! But tor 0.4.0.x is no longer in experimental stage, its stable release appeared long time ago. I wonder why it is not in standard tor debian repos yet...

Why is noscript no longer accesible via the address bar? This was far easier to click to temp allow certain domains. I cannot find any other way to see the list of domains to block or unblock each webpage loaded.
Have to manually type the url/domain by going to addons -> no script preferences

you can also customize the tor browser to put it back into the adress bar

Ok thanks. Very easy to do. Overlooked it because there's hardly any space to right click on the toolbar in firefox and there appears to be no "customize" option in "preferences".

For any one else who needs to know how to add the addon widgets back in the toolbar:
https://trac.torproject.org/projects/tor/ticket/30600

It can manually be re-added by right-clicking the toolbar, selecting "Customize..." and dragging the NoScript icon back to the toolbar.