Tor Browser Releases Two Consecutive Minor Emergency Updates to Fix Multiple Major Security Vulnerabilities

Back in October of last year, a major version 13.0 of the Tor Browser was released, making several accessibility and user experience improvements. Recently, on March 19th and March 22nd, the Tor Project released two minor emergency updates to the Tor Browser, fixing several major security vulnerabilities in Firefox. "ODN" reminds everyone to upgrade the latest version of Tor Browser as soon as possible.

Tor Browser 13.0.12

On March 19th, the Tor Project released Tor Browser version 13.0.12, which removes the automatic prioritization of .onion sites on the one hand, and completes an important security update for Firefox on the other.

The Tor Project says it has recently received notifications of a potential fingerprinting vulnerability related to automatic Onion-Location redirection. As a precautionary measure, the "Prioritize .onion sites when known" option has been removed from the Tor Browser for the time being, and the Tor team is looking into the issue further and will provide an update as soon as more findings and recommendations are available.

According to the Tor website:

browser fingerprinting
Fingerprinting is the process of collecting information about a device or service to make educated guesses about its identity or characteristics. Unique behavior or responses can be used to identify the device or service analyzed. Tor Browser prevents fingerprinting.

According to the Mozilla Foundation's Security Bulletin, the following security vulnerabilities have been fixed in Tor Browser version 13.0.12 (based on Firefox ESR 115.9):

• CVE-2024-0743: Crash in NSS TLS method
• CVE-2024-2605: Windows Error Reporter could be used as a Sandbox escape vector
• CVE-2024-2607: JIT code failed to save return registers on Armv7-A
• CVE-2024-2608: Integer overflow could have led to out of bounds write
• CVE-2024-2616: Improve handling of out-of-memory conditions in ICU
• CVE-2023-5388: NSS susceptible to timing attack against RSA decryption
• CVE-2024-2610: Improper handling of html and body tags enabled CSP nonce leakage
• CVE-2024-2611: Clickjacking vulnerability could have led to a user accidentally granting permissions
• CVE-2024-2612: Self referencing object could have potentially led to a use-after-free
• CVE-2024-2614: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9

Tor Browser 13.0.13

On March 22, the Tor Project released Tor Browser version 13.0.13, an unplanned emergency update release that contains important security updates for the desktop platform Firefox. The Android version of the Tor Browser is not affected.

According to the Mozilla Foundation's security bulletin, the security vulnerabilities fixed in Tor Browser version 13.0.13 (based on Firefox ESR 115.9.1) are listed below:

CVE-2024-29944: Privileged JavaScript Execution via Event Handlers (An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox.)

If you have installed Tor Browser, please update it as soon as possible via the "Check for Updates" button on the Tor Browser itself.