Tails 4.2.2: Emergency release addresses critical Tor Browser vulnerability

Type confusion bug patched amid reports of targeted attacks being executed in the wild

Tails, the USB-borne operating system that aims to shield users from censorship and surveillance, has addressed a critical vulnerability in the Tor Browser that comes bundled with the software.

Issued yesterday (January 14), Tails 4.2.2 is an emergency release that was necessitated by the discovery of a critical flaw in Firefox, the platform on which the Tor Browser is based.

In a security advisory issued January 8, 2020, Mozilla said it had patched Firefox against the zero-day flaw, a type confusion bug affecting the browser’s IonMonkey JavaScript Just-in-Time (JIT) compiler.

It added that it was “aware of targeted attacks in the wild abusing this flaw”.

A type confusion vulnerability occurs when a memory input’s type is reallocated during manipulation, potentially leading to code execution or component crashes that attackers can exploit.

Designed to improve performance, a JIT compiler converts JavaScript source code into executable computer code, which can run directly within Firefox.

Read more data privacy news from The Daily Swig

Cybercriminals regularly probe JIT systems for flaws, according to a story on the Sophos blog, because they exempt themselves from Data Execution Prevention (DEP) controls. Deployed by most modern apps, DEP blocks data it consumes from executing code in order to guard against shellcode disguised as a trusted program.

According to the Tails dev team, the vulnerability affects only the Tor Browser’s default standard security level. Users were not at risk during any time their security level was raised to ‘safer’ or ‘safest’.

Anyone running version 4.2 will get an automatic update to 4.2.2, but users who encounter problems can upgrade manually. Users of versions 4.0, 4.1, and 4.1.1 must first upgrade to 4.2 and then to 4.2.2.

Tails, which is booted thousands of times a day worldwide, is built on Debian, the Linux-based operating system.

Short for The Amnesiac Incognito Live System, it protects users’ privacy and anonymity when browsing the internet.

Tails 4.2.2 also addresses several other issues, including the delay experienced by some users when rebooting after applying an automatic upgrade, along with bug fixes for KeePassXC password manager and Thunderbird email client.