Tails OS users are advised not to use the Tor Browser until critical Firefox bugs are fixed


Tails project officials have issued a warning that the Tor browser that comes with the operating system is not safe to use to access or enter sensitive information.

“We recommend that you stop using Tails until the release of version 5.1 (May 31) if you use the Tor browser for sensitive information (passwords, private messages, personal information, etc.)”, the project said in a notice published this week.

Tails, short for The Amnesic Incognito Live System, is a security-focused Debian-based Linux distribution aimed at maintaining privacy and anonymity by connecting to the Internet through the Tor network.

cyber security

The alert comes as Mozilla rolled out fixes on May 20, 2022 for two critical zero-day flaws in its Firefox browser, a modified version of which serves as the basis for the Tor browser.

Tracked as CVE-2022-1802 and CVE-2022-1529, the two vulnerabilities are a so-called prototype pollution that could be weaponized to achieve JavaScript code execution on devices running vulnerable versions of Firefox. , Firefox ESR, Firefox for Android and Thunderbird. .

“For example, after visiting a malicious website, an attacker controlling that website can gain access to the password or other sensitive information that you then send to other websites during the same Tails session”, indicates the opinion of Tails.

The bugs were demonstrated by Manfred Paul during the 15th edition of the Pwn2Own hacking contest held in Vancouver last week, for which the researcher was awarded $100,000.

cyber security

However, Tor browsers that have the “Most Secure” security level enabled as well as the Thunderbird mail client in the operating system are immune to the vulnerabilities because JavaScript is disabled in both cases.

Additionally, the weaknesses do not break the anonymity and encryption protections built into the Tor browser, which means that Tails users who do not handle sensitive information can continue to use the web browser.

“This vulnerability will be fixed in Tails 5.1 (May 31), but our team does not have the ability to release an emergency release sooner,” the developers said.


Comments are closed.