New Tor Browser Bundles (security release)

by erinn | May 4, 2012

The Tor Browser Bundles have been updated with a very important security fix. As explained in the previous blog post, a user discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This is now fixed and we strongly encourage all users to update. There are a few other bugfixes in this release, including really fixing (for real this time!) the problem with the Mac OS X bundles crashing.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-11)

  • Security release to stop TorBrowser from bypassing SOCKS proxy DNS configuration
  • New Firefox patches:
    • Prevent WebSocket DNS leak (closes: #5741)
    • Fix a race condition that could be used to link browsing sessions together when using new identity from Tor Browser (closes: #5715)
  • Remove extraneous BetterPrivacy settings from prefs.js (closes: #5722)
  • Fix the mozconfig options for OS X so that it really builds everything with clang instead of llvm-gcc (closes: #5740)

Comments

Please note that the comment area below has been archived.

May 04, 2012

Permalink

I just downloaded the new 2.2.35-11 update, but on starting it up I'm informed by the startup page that there is a security update...Glitch?

May 04, 2012

Permalink

Hello there.
I don't really know if this is just me, but when the ff window pops, the minimize-maximize-close buttons on the top right corner are not properly shown. In fact they are just black.

I know that's probably nothing though,
Thanks for the new update.

May 04, 2012

Permalink

I'm using the Vidalia Bundle, together with an external version of Firefox. Am I affected by this security bug? Do I have to set network.websocket.enabled to false?

May 04, 2012

Permalink

Thanks for the quick fix. In this new release, the value of "network.websocket.enabled" is "true" again. Is this ok?

"In this new release, the value of "network.websocket.enabled" is "true" again. Is this ok?"

Confirmed on Tor Browser Bundle (2.2.35-11); suite=linux

--- From: ~/tor-browser_en-US/Docs/changelog:
---
--- * New Firefox patches:
--- - Prevent WebSocket DNS leak (closes: #5741)

But network.websocket.enabled remains set at true!

How was this patched when the value remains set as true? Shouldn't the above value be false as instructed in a former blog post here?

Doesn't this deserve an official answer?

If the people who run this blog are going to ignore at least 90% of perfectly valid (and repeated) questions such as this, why even allow comments in the first place? Just to tease?

That was a workaround, it's not needed anymore now that the issue is patched. The problem was not network.websocket.enabled set to true, but the fact that DNS requests for websocket connections were not made by proxy. You could work around that by disabling the websocket feature completely, but why would you need to do it now? Please read things carefully before asking questions.

Well, as you can see in the blog post, the fix is listed under Firefox patches, which means they modified the source code as opposed to user-level configuration. The earlier recommendation was just a temporary workaround -- now the problem appears to be fixed for good.

I agree and vote for the creation of a forum. I'm still baffled by the fact that Tor has made public that they have 13 full time employees. They accept emails and phone calls. Yet they can't manage to start up a simple forum? Why not?

May 04, 2012

Permalink

OK, I've installed the security upgrade but now the Vidalia Control Panel just hangs?
What to do???
Thanks, XP user.

May 04, 2012

Permalink

TBB 2.2.35-11 can not handle with Win 7 Theme at 32 / 64 bit version.

Minimize, Enlarge and Closebutton are missing and the Browser-Window is grey.

I'm going back to 2.2.35-8

Please fix this bug or bring back the old Torbutton for Firefox.

Thanx!

May 04, 2012

Permalink

I've been using the new version for a couple of hours (on Mac OS X 10.7.3), and I've experienced no crashes. Thanks for fixing that!

May 05, 2012

Permalink

I suggest the Tor Project develop a rating system for security problems so users have a means of judging the importance of security issues relative to each other. Something like:

E = Minor security issue affecting few users on few websites
D = Minor security issue affecting many users on most websites
C = Medium security issue affecting few users on few websites
B = Medium security issue affecting many users on most websites
A = Severe security issue

While we would like to believe Tor is 100% bulletproof 100% of the time, very few products, if any, meet such a stringent standard.

Good luck.

May 05, 2012

Permalink

The code signature on the latest OSX packages are broken:

$ codesign -vv /xxxxTorBrowser_en-US\ 09-56-27-116.app
resource modified: /xxxx/TorBrowser_en-US 09-56-27-116.app/Contents/Resources/Docs/changelog

May 05, 2012

Permalink

The code signature on the latest OSX packages are broken:

  1. $ codesign -vv /xxxx/TorBrowser_en-US\ 09-56-27-116.app<br />
  2. /xxxx/TorBrowser_en-US 09-56-27-116.app: a sealed resource is missing or invalid<br />
  3. resource modified: /xxxx/TorBrowser_en-US 09-56-27-116.app/Contents/Resources/Docs/changelog

May 05, 2012

Permalink

Why the close, minimize and maximize buttons are black? someone else have this fucking bug? i'am on win 7

May 05, 2012

Permalink

i log onto Tor and i get this message for an important security release download i use the link provided but all i get is the page to download the whole bundle again, 2.2.35_11 bundle, is there a specific download or just do re download the whole bundle,
please help

Les

May 05, 2012

Permalink

Can't load .onion sites on Puppy Linux 5.2.0 Lucid 32-bit. Reverted to 2.2.35-11 and used the fix with about:config, works. Please fix.

May 06, 2012

Permalink

I read at http://www.pastie.org/3867284
that the company MarkMonitor is controlling the domains for
Google, Gmail, Facebook, Yahoo, Hotmail and other big names.

It is stated further that MarkMonitor is a trusted Certificate Authority.
Is that certificate enabled in TorBrowser?

May 07, 2012

Permalink

Cant use this version as Norton Sonar protection deletes teh Tor.rxr file.
reverted to previous.

May 07, 2012

Permalink

Hi,
there seems to be a misconfiguration with NoScript in the last linux version of Tor Bundle (v 2.2-35-11) :

when i run ./start-tor-browser and the browser opens , the default NoScript policy is "Allow Global" (aka enable all javascript, the user has to click on "Forbit Globally" )

It's not a misconfiguration. TorBroswer is safe to use with JS enabled do to patches on FF codebase and use of TorButton.

This question must have been asked, oh, maybe a gabillion times. It's not your fault though, I see it as the fault of the Tor project **NOT** focusing enough on user outreach. I mean really, how hard would it be for someone at Tor Project to write a TorBrowser FAQ?????????????????????????????

Tor Project needs less coders and more people persons to help those trying to use Tor. Heck, even if we had the best Tor in the world, if few people knew who to safely use it, it's worth exactly squat.

May 08, 2012

Permalink

For a long time now, no matter the version, whenever I close Tor after the first time I open, it refuses to open again and crashes before anything opens. Does anybody know a fix?

I have the same issue.

another problem I consistently have is that the Tor Browser (previously firefox) just fails to open at all, even long time after Vidalia Control Panel is connected to the tor network.

I'm having a similar problem; every time I click "start Tor browser," my computer freezes and I have to force-restart. Hopefully somebody who knows more than I do has had this problem and knows how to fix it...

May 08, 2012

Permalink

Too bad one is no longer able to do the Polipo workaround with this release because libgnurx-0.dll was taken out and Polipo can not start without it. Copying this file from the .8 release into this one (apps directory) does allows Polipo to start and run (uses posrt 8118). I do this because I want socks 4a not 5 or 4. Although 5 may be more secure with the tbb firefox, it may not be with torrified applications or possibly hidden services.

Will reincorporating this dll file bring back a security problem? Why was it removed anyway?

May 08, 2012

Permalink

UPDATE Tor Browser Bundle

1: Fix Minimize and Maximize Buttons that are Black.
2: Fix and Improved Tor Browser Performance Speed.
3: Fix and Prevent Tor Browser Bundle Crash.
4: Fix and Update Security Setting in Browser.
5: Fix and Update Tor Browser Spell Checking.

May 09, 2012

Permalink

I started to use the 2.2.35-11 bundle, and Norton 360 said it noticed a suspicious operation and deleted the statup exe file. . .any advice?

The 2.2.35-8 bundle used to work just fine in this respect. . .

May 10, 2012

Permalink

Cant use this version as Norton Sonar protection deletes the Tor. run file.
reverted to previous

May 11, 2012

Permalink

I downloaded latest upgrade 2.2-35-11 and vidalia wont open...error log says port not configured correctly.

May 11, 2012

Permalink

We don't need your bundle crap! We don't need a new browser each time that we want a fucking add-on! Torbutton is all that we need!

May 11, 2012

Permalink

Hey you guys.
The WEBSOCKET IS FIXED! THAT IS WHY YOU DON'T NEED TO DISABLE IT. CAUSE IT IS NOT LEAKING ANYMORE.
AND NOSCRIPT's ORIGINAL SETTINGS ARE OF NOSCRIPT, NOT TORBROWSER.
THE ICONS, ARE YOU BLIND? IT'S BEEN BLACK FOR AGES YOU IGNORANT USERS.
DON'T BLAME THEM IF YOU'RE NOT HELPING THEM TO PROGRAM.

May 13, 2012

Permalink

Quick question....not sure if this was a problem in previous versions did not seem to be. When I hit use another identity... well it uses another identity, but seems to just go through 4 different nodes, over and over again. Why is this?

May 14, 2012

Permalink

I set my dns-servers ip-adress to localhost some months ago. How can dns-leaks have a chance this way i wonder. I would say no chance.

Tor doesn't need a dns-server in the nic's config.

Who has done the same?

May 17, 2012

Permalink

my torbrowser can not connect as it stops at connectig to relay directory some one please help me how to connect it as i need it.......

How long did you give it?

I've found that sometimes, it can take at least two or three minutes to establish the connection.

Also, after getting the message that I've connected to Tor, there is always a delay of at least several seconds before the browser actually opens.

"my torbrowser can not connect as it stops at connectig to relay directory"

This is what would happen whenever I would try to run TBB from any live environment. (Something I have not tried to do since at least two releases ago)

May 21, 2012

Permalink

In Firefox 12 I need to set the browser.cache.memory.enable;false, always. I can do this this manually in the about:config page but when I relaunch it goes back to true. Its a real pain.

There are a number of prefs.js in the bundle directory structure so which one should I use? The same would have applied to the security bug now fixed prior to the fix release.

June 22, 2012

Permalink

UPDATE Tor Browser Bundle
1: Fix Minimize and Maximize Buttons that are Black.

> Icons still black here.

DON'T BLAME THEM IF YOU'RE NOT HELPING THEM TO PROGRAM.

> Why not? It sounds pretty obvious tor programmers love pulling tarballs up their arses on their Penix boxes rather than fixing issues with Windows theme support.