Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’
Tails is warning users to stop using Tor Browser that comes bundled with the privacy-focused operating system (OS), after the discovery of a prototype pollution vulnerability.
Tor Browser is a modification of the open source Firefox web browser, which is where the critical vulnerability, tracked as CVE-2022-1802, was found.
The developers of Tails, a security-focused Debian-based Linux distribution used for security and anonymity, warned users not to fire up Tor Browser while handling any sensitive information as the vulnerability may break any protections it provides.
This is at least until version 5.1 of Tails, expected on May 31, is released.
A security advisory from Tails reads: “This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.
“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.”
The vulnerability does not break the anonymity and encryption of Tor connections, meaning that it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.
Tails version 5.0 comes bundled with Tor Browser 11.0.11, which contains the prototype pollution bug.
As users await Tails 5.1, which will inherit the Tor Browser 11.0.13 security update, they could use the standalone, and fully updated, version of the browser on Mac, Windows, or Linux.
“This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier,” the Tails team said.
A Mozilla security advisory contains more information about the security issues, which were reported by researcher Manfred Paul.
It also contains details on fixes for Firefox, Firefox ESR, Firefox for Android, Thunderbird to protect against the vulnerabilities.
YOU MAY ALSO LIKE Malicious Python library CTX removed from PyPI repo