Opened 4 years ago

Closed 4 years ago

#16744 closed defect (fixed)

Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild

Reported by: cypherpunks Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: MFSA2015-78, CVE-2015-4495
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

permalink.gmane.org/gmane.network.tor.user/37261

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by cypherpunks

Keywords: MFSA2015-78 CVE-2015-4495 added
Summary: PDF Exploit in FirefoxUpdate TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild

comment:2 Changed 4 years ago by cypherpunks

https://twitter.com/wiretapped/status/630438666708627458 says the in-the-wild malicious payload described in the mozilla blog is now public here: https://pastebin.ubuntu.com/12030863/ and recommends setting pdfjs.disable.

will that protect against this vulnerability?

has anyone considered building a (secure, auditable, etc) mechanism for pushing out emergency configuration patches? there have been instructions for mitigating many recent firefox bugs with about:config settings. couldn't those be deployed automatically in a much more timely fashion than tor browser updates?

comment:3 Changed 4 years ago by mikeperry

The PDF.js exploit in the wild does not affect TBB 4.5 users. It exploited a specific property of Firefox 38. Unfortunately, this does mean our 5.0a3/5.0a4 alpha users are vulnerable. The "High" Security slider setting will block the exploit even for those users.

We don't recommend disabling pdf.js long-term via pref, since every other PDF reader in existence can deanonymize you by loading embedded remote resources outside of your Tor proxy settings.

5.0 and 5.5a1 will be out on Tuesday, August 11th (ie: in about 12 hours or so). 4.5 users will be upgraded to 5.0 (based on Firefox 38-esr, but with the fix included). 5.0a3 and 5.0a4 users will be upgraded to 5.5a1 (also based on Firefox 38-esr, but with the fix included).

comment:4 Changed 4 years ago by mikeperry

https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33 is the statement from Mozilla for FF31 not being vulnerable. They have made a similar statement on the ESR mailinglist.

comment:5 Changed 4 years ago by gk

Resolution: fixed
Status: newclosed

This is fixed meanwhile.

Note: See TracTickets for help on using tickets.