Tor Browser 7.0.9 is released

Note: Tor Browser 7.0.9 is a security bugfix release for macOS and Linux users only. Users on Windows are not affected and stay on Tor Browser 7.0.8.

Tor Browser 7.0.9 is now available for our macOS and Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address (note: as of Nov. 4, 2017, this link is non-public while Mozilla works on a fix for Firefox). Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.

The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!

We are currently preparing updated macOS and Linux bundles for our alpha series which will be tentatively available on Monday, November 6. Meanwhile macOS and Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.
Update: Tor Browser 7.5a7 has now been released.

Known issues: The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.

Here is the full changelog since 7.0.8:

  • OS X
    • Bug 24052: Streamline handling of file:// resources
  • Linux
    • Bug 24052: Streamline handling of file:// resources

November 06, 2017


What if the user is under Tor using normal Firefox browser and Windows (I mean, not Tor Browser, just Mozilla Firefox properly set to use with Tor expert bundle)? Will he be vulnerable to this TorMoil bug? Or he is not vulnerable because OS is Windows?


November 06, 2017


Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address

Could you tell in which TBB version this bug first appeared?

There are some news about recent busts, where police was running one onion HS during 11 months. Later 95,000 IP addresses were discovered:

We have seen in several hidden forums that they recommend certain file-sharing services, and this discussion may happen not just on the Internet. One can therefore look at this world map as a representation of several geographic networks of downloaders

Can this 95,000 IP leak be related to this TBB bug? It is written that

The information is gathered from activities logged from a small number of file-sharing services which are preferred by people who share this kind of material.

However, if people are in "hidden" (tor) sites that rely on tor, all files are usually downloaded in the same browser that also uses tor. Is it meaningful that 95,000 people used their normal browser to download files faster without tor?


November 07, 2017


uBlock Origin
It looks like that if you use the uBlock Origin addon like the Tails version of Torbrowser does that "wss://" websockets are blocked.
Why does Torproject not embed the uBlock Origin addon as well in Torbrowser?

Because part of our philosophy is not to apply filters but follow a privacy-by-design approach. See: section 5. No filters.

I see, I see also filter list functions in Noscript and https Everywhere (one big list but not covering many websites too), but not a special function in Noscript that protects the user from unwanted functionality in the browser like the ones discussed in this topic.
Therefor the ublock addon seemed to be a reasonable solution because it does block this, it is also used by TAILS and above all it seems that we cannot rely on the continuous changes that firefox has with functionality that no one really wants and is creating security and privacy problems for at least 3 years now. Mac users probably better can use TAILS because their support is far more broader and reliable then mozilla offers.
Thank you for answering anyway

Takes 7 mouse clicks to turn off automatic updates!! Even to change to "Check for updates, but let me choose whether to install them"

Edit > Preferences > Security > Warn me when sites try to install add-ons > Exceptions > Remove All Sites > Save Changes
is NOT respected when restarting!!!

Surely you can do better than this!!!!

Or is TorBrowser secretly spyware????

Sure, there is always room for improvement. I think a good start would be to file a ticket in our bug tracker ( about the settings not respected after restart. And even better if it comes with a patch to fix the problem.

Have you researched "NIT" and fixed the vulnerability?

Why would you possibly want to turn off automatic updates? Automatic updates are extremely important for fixing critical security bugs.

I'm unable to watch videos with the webm format, this the message I get next to the link "Your browser does not support HTML5 video". I have latest version of tor browser 7.0.9, any solutions?

So is this problem caused by file:// being handled in the context of the host, local address? We've been here before, similar to the problem with allowing unfettered local address access, in that it can bypass the proxy... only in the case of local address access the useful situation exists.

My OS and supported lang are displayed in
Is this a bug?

I don't see that when I am using the test. It tells me I am using a Mac but I actually tested with a Linux machine. And I did not see my locale either. So, whatever they report, they are not really recognizing your configuration.

The test tells me I am using a Mac and I tested with a Mac.

2 questions: Is it expected that a transition to quantum-base would resolve the builtin file manager issues, and if that's the case,
Is there a trac somewhere for investigating a fix that does not involve gutting file:/// support? Which is to say if the current design has an issue with multi-process access to shared proxy is there a trac to start?

No, the switch to Firefox Quantum would not solve the issues we see with using file://. What we really need is a fix for which is not so easy, I am afraid.


Is this log regular?

13/11/2017 14:31:27.000 [WARN] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (No route to host; NOROUTE; count 1; recommendation warn; host 79861CF8522FC637EF046F7688F5289E49D94576 at
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus
13/11/2017 14:31:41.000 [NOTICE] I learned some more directory information, but not enough to build a circuit: We're missing descriptors for some of our primary entry guards
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 64%: Loading relay descriptors
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 69%: Loading relay descriptors
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 76%: Loading relay descriptors
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit
13/11/2017 14:31:41.000 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working.
13/11/2017 14:31:41.000 [NOTICE] Bootstrapped 100%: Done

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

2 + 18 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.