With the new updates in Tor Browser version 7.0.9 for Linux and Mac operating systems, Tor is now patched up from a new vulnerability that was recently discovered that would cause Tor Browser to leak the IP address of its user. The vulnerability was given the name TorMoil by the person who discovered, Filippo Cavallarin of wearesegment.com. The bug does not affect any versions of Tor Browser for Microsoft Windows operating systems. Not all versions of Tor Browser for Linux were affected by TorMoil. Users of the special version of Tor Browser for the Tails operating system were also not affected by the TorMoil bug. The use of Tor Browser on the Whonix operating system was also not affected by the TorMoil bug, nor were users of the Qubes operating system with a dedicated Tor virtual machine affected by TorMoil. The Sandboxed Tor Browser, which is still in the alpha stage of development, is also not vulnerable to the TorMoil bug. Of course if a person is using a VPN to connect to the Tor network, then only the IP address of the VPN could be leaked through the TorMoil bug. Cavallarin alerted the Tor Project to the vulnerability at the end of October.
Developers of the Tor Browser from the Tor Project worked together with developers of Firefox at Mozilla to create a patch to stop the TorMoil vulnerability. Related issues remain. “The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136,” the Tor Project stated in a blog post on the release of Tor Browser version 7.0.9.
A day after being alerted by Cavallarin about the vulnerability, an initial fix for the TorMoil bug was created. However, this initial fix was only a partial solution. An additional patch was created which fixed all known holes. In a statement made on the Tor Project’s blog which announced the release of the patched version of Tor Browser, the project stated that, “We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!”A security fix for the alpha version of Tor Browser was released shortly after the stable version of Tor Browser was patched. The new alpha version of the Tor Browser for Linux and Mac operating systems, version 7.5a7, was released on November 4th, a day after the stable version of Tor Browser had been patched and published. These patches fix the security issue caused by TorMoil, and users may still experience problems with file:// URLs.
The Tor Project also recently released an update for the alpha version of Tor, which contains a couple of major bug fixes for Tor, including fixes which improve stability. Another recent release from the Tor Project includes a command line Tor relay monitor called Nyx. Nyx, named after the Greek goddess of the night, enables Tor relay operators to ensure their Tor relay is functioning properly. The Nyx command line tool allows users to access information about bandwidth usage, Tor connections, logs, among other data. Nyx scrubs information about users identities and exit connections. The new Tor relay tool is a completely redesigned version of an application called arm. Some new features Nyx has that the old arm tool did not have include support for Python 3, a bandwidth graph which loads right away, support for IPv6 connections, and connections information can be seen without having to edit torrc.