[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] pdf with tor



tor-admin@torland.me:
> On Friday 07 August 2015 13:25:02 Cain Ungothep wrote:
> > > Well, Mozilla announced a secadv for pdf.js recently, so there's that.
> > > 
> > > https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
> > 
> > Ugh, here comes another:
> > 
> > https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
> > 
> > This one seems specially nasty in the context of Tor. Notice the following 
> sentence:
> > > Mozilla has received reports that an exploit based on this vulnerability
> > > *has been found in the wild*.
> > 
> 
> As long as the Mozilla fix is not consumed by TBB you can prevent TBB from 
> opening PDF document using pdf.js. Open about:config and toggle 
> *pdfjs.disabled* to true. Now TBB asks for an external pdf viewer when it 
> receives a pdf document. 

FYI: The PDF.js exploit in the wild does not affect TBB 4.5 users. It
exploited a specific property of Firefox 38 that did not apply to
Firefox 31[1]. Unfortunately, this does mean our 5.0a3/5.0a4 alpha users
are vulnerable, since they are based on Firefox 38. The "High" Security
Slider setting will block the exploit even for those users, since
Javascript is required for it to function. 

We don't recommend disabling pdf.js long-term via pref, since every
other PDF reader in existence can deanonymize you by loading embedded
remote resources outside of your Tor proxy settings (in addition to
likely being vulnerable to far more serious security issues).

5.0 and 5.5a1 will be out on Tuesday, August 11th (ie: in about 12 hours
or so). 4.5 users will be upgraded to 5.0 (based on Firefox 38-esr, but
with the fix included). 5.0a3 and 5.0a4 users will be upgraded to 5.5a1
(also based on Firefox 38-esr, but with the fix included).


1. https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33 is the
statement from Mozilla for FF31 not being vulnerable. They have made a
similar statement on the ESR mailinglist (but that does not have open
archives).


-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk