Tor Browser 6.0.7 is released

Tor Browser 6.0.7 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2).

The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

We will have alpha and hardened Tor Browser updates out shortly. In the meantime, users of these series can mitigate the security flaw in at least two ways:

1) Set the security slider to "High" as this is preventing the exploit from working.
2) Switch to the stable series until updates for alpha and hardened are available, too.

Here is the full changelog since 6.0.6:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2

Update: We would like to remind everyone that we (The Tor Project) are having our 2016 fundraising campaign! Donate today!

I figured it out. I dismounted the flash drive restarted the computer and then double clicked on the old Tor browser that was now on the desktop. The browser then showed my current bookmarks. I saved them to the desktop then exited the Tor browser. I then changed the file name of the browser and securely deleted it. I then went back to using the latest version of Tor on the flash drive and imported my newest bookmarks into the Tor browser. Problem solved and lesson learned!

Thanks for a quick reply and trying to assist me!

John

December 09, 2016

Permalink

Mac OS problems
-Strangely when I remove Tor browser 6.06 sha 256 59e127188f4090efe45f31318a6117e8c59532f756c2324c0369538b988f5fbd
and reinstall, Bookmarks are automatically restored.

-In the directory Torbrowser.app/contents/MacOS/Tor/pluggabletransports It is missing the transport FTE and scramblesuit yet scramblesuit is shown in the Torbrowser.

On OS X the Tor Browser user data folder is separated from the one containing the binaries needed to run Tor Browser. In order to get a fresh experience you must delete the former as well. In case you installed Tor Browser to /Applications your users data should be in ~/Library/Application Support/TorBrowser-Data.

Yes, FTE is missing as its outline on disk does not comply with Gatekeeper signing requirements (see: https://trac.torproject.org/projects/tor/ticket/18495). Scramblesuit is nowadays provided by obfs4proxy.

John

December 10, 2016

Permalink

It's worth noting that so far both this exploit and the earlier CIPAV installing exploit relied on javascript and used a Windows-only payload. If your safety or even more so that of anyone else depends on anonymity, you should not use Windows for Tor, and should avoid using websites that don't work without javascript for work that requires anonymity. When you must use JS, (say for posting a video of the local police chief going to a pimp for his weekly session with a ten year old) layer your defenses by using Tails from a public wifi access point, and sitting where security cameras cannot see you.

John

December 13, 2016

Permalink

on my Mac if I place an entry in the find field on my Torbrowser it also appears in my firefox, find field 50.02.

John

December 15, 2016

Permalink

Apparently this patch was created from a leaked exploit posted on an extremely illegal website, according to VICE Media who may now have turned their researchers into criminals just by visiting the site.

Are there any legal issues involved in counter-forensics patches or are software developers safe because it makes their software less vulnerable to exploits that could be hazardous to users in general?

John

December 20, 2016

Permalink

Using Tor 6.0.7 on Windows with automatic checking for updates set to false, updates were still automatically downloaded and installed. This behavior seems like a bug to me (even if automatic updates are advisable)