If you are using software based on Firefox major version 21 or earlier, Thunderbird 17.06 or earlier, or SeaMonkey 2.18 or earlier, please update your software immediately. Tor Browser Bundle users who have not updated to the most recent version are also at risk, and so we've provided a screenshot tutorial for how to update the Tor Browser Bundle below.
Tor and the Tor Browser: Security and the Importance of Updating
Tor is a powerful anonymity tool that allows human rights activists, dissidents and whistleblowers to use web services anonymously to avoid harassment, imprisonment and in some cases death. Tor also allows users to circumvent several forms of surveillance and censorship. The Tor Browser is a modified version of Firefox that ships with the Tor Browser Bundle to provide users with an easy way to browse with Tor without any configuration required.
Given the importance of Tor to users around the world, the security of both Tor and the Tor Browser are absolutely critical. This type of attack cannot be narrowly focused on particular Tor or Tor Browser users suspected of breaking the law, and leaves vulnerable the multitude of other users worldwide who depend on these tools for anonymity. In this case, all users of older versions of the Tor Browser Bundle are potentially vulnerable and the issue requires immediate attention.
What Can Users Do?
Tor does not provide automatic security updates. Instead, the Tor Browser currently requires users to manually download and install the update of the Tor Browser Bundle. The Tor Project is working on a fix for this, and this attack highlights the importance of allowing users to auto-update. For now, if you are using an outdated version of the Tor Browser, you should update your Tor Browser Bundle software immediately. Here are detailed instructions for Windows users:
1. Open your current Tor browser, and determine what version of Firefox is running by clicking the "TorBrowser" button:
2. Click on "Help" -> "About TorBrowser" to determine your version. If it below 17.07, then you are vulnerable:
3. Click the TorButton icon and go to "Download Tor Browser Bundle Update":
4. You should be taken to the Tor Browser Bundle homepage, where you click to download the executable file:
5. Download this executable file. Click through the warning about launching the executable file:
6. Once the file is downloaded, extract the application either to the same directory where Tor exists or a new directory for this version:
7. Launch the "Start Tor Browser" executable from the same directory where you extracted the application and check the version to make sure that you're up to date.
If you see Firefox version 17.0.7 or greater, then you're up to date.