A few days ago, in my German article Tor Browser 8.0 erschienen, I introduced the new version of the Tor browser. If you're still using older versions of Tor 7.x, you should switch as soon as possible..
Advertising
Zerodium, a vendor that buys and sells exploits for software, has announced on Twitter that Tor 7.x is insecure. A bug allows a user's choice of security level to be bypassed.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.— Zerodium (@Zerodium) 10. September 2018
All browsers are probably affected by the JavaScript exploits under Tor 7.x. Only the new Tor 8.x version is not affected. The developer of the NoScript add-on developed and released an update (5.1.8.7) after ZDNet.com pointed out the facts in this article. neowin.net writes here that Zerodium sold the exploit months ago to another company that shares it with government organizations. So it means to update to Tor 8.x.
Advertising
