Tails users are advised not to use the included Tor Browser until a security patch is available


Following the revelation of a prototype pollution vulnerability, Tails is recommending users to cease using Tor Browser, which comes packaged with the privacy-focused operating system (OS).

Tor Browser is a fork of the open source Firefox web browser, which is where the major vulnerability, CVE-2022-1802, was discovered.

Through prototype pollution, an attacker might possibly execute attacker-controlled JavaScript code in a privileged environment by corrupting the methods of an Array object in JavaScript.

A second flaw, identified as CVE-2022-1529, could allow an attacker to send a message to the parent process, the contents of which could be used to double-index into a JavaScript object, resulting in prototype pollution and, eventually, attacker-controlled JavaScript executing in the privileged parent process.

Knock-on impact

The makers of Tails, a security-focused Debian-based Linux system used for security and anonymity, urged users not to use Tor Browser when handling sensitive information since the flaw might compromise whatever security it offers.

This is at least until Tails 5.1, which is set to be released on May 31.

“This vulnerability allows a hostile website to overcome part of the protection implemented into Tor Browser and access information from other websites,” according to a Tails security alert.

“For example, after visiting a malicious website, an attacker managing that website may gain access to the password or other sensitive information that you later provide to other websites while using Tails.”

The issue does not compromise the anonymity and encryption of Tor connections, therefore using Tails to view websites is still secure and anonymous if you do not disclose important information with them.

Because JavaScript is disabled in Tails, other apps are not susceptible. Tor Browser’s Safest security level is also unaffected because JavaScript is removed at this level.

Incoming fixes

Tails 5.0 includes Tor Browser 11.0.11, which contains the prototype pollution bug.

Users may use the standalone, fully updated version of the browser on Mac, Windows, or Linux while they wait for Tails 5.1, which will include the Tor Browser 11.0.13 security upgrade.

The Tails team stated, “This vulnerability will be resolved in Tails 5.1 (May 31), however our team does not have the resources to produce an emergency release earlier.”

More information on the security problems revealed by researcher Manfred Paul may be found in a Mozilla security alert.

It also includes information on how to protect against the vulnerabilities using Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

Leave A Reply

Please enter your comment!
Please enter your name here