Submitted via IRC for SoyCow1984
TorMoil, as the flaw has been dubbed by its discoverer, is triggered when users click on links that begin with file:// rather than the more common https:// and http:// address prefixes. When the Tor browser for macOS and Linux is in the process of opening such an address, "the operating system may directly connect to the remote host, bypassing Tor Browser," according to a brief blog post published Tuesday by We Are Segment, the security firm that privately reported the bug to Tor developers.
On Friday, members of the Tor Project issued a temporary work-around that plugs that IP leak. Until the final fix is in place, updated versions of the browser may not behave properly when navigating to file:// addresses. They said both the Windows versions of Tor, Tails, and the sandboxed Tor browser that's in alpha testing aren't vulnerable.
(Score: 0) by Anonymous Coward on Tuesday November 07 2017, @08:51PM (2 children)
And there was a *HUGE* stink about it when it was implemented too, for exactly this concern. I am not sure if the mail archives survive that far back, but someone with strong google-fu should be able to provide the supporting links for this as-yet unsubstantiated statement of fact.
Most of Mozilla's problems have been self inflicted. If it doesn't show up under Firefox, it might be under Phoenix, Firebird, or Mozilla Browser Suite, although I am pretty sure the debate happened during the switch from gtk to xul when a lot of FF features were getting paired away and stupid insecure shit added.
(Score: 0) by Anonymous Coward on Tuesday November 07 2017, @11:55PM (1 child)
When what was implemented, support for file:// URIs? That was in Mozilla in in 2001 [mozilla.org], if not earlier. Phoenix, which eventually became Firefox, was first released in 2002.
(Score: 0) by Anonymous Coward on Wednesday November 08 2017, @08:26AM
file:// URL's were in Netscape back around 1996, probably before that.