The Tor Project has released an important security update for the Tor Browser, bringing the privacy-focused web browser to version 13.0.12. The update includes patches for several high-risk vulnerabilities inherited from Mozilla's Firefox code base.
One of the most significant changes in 13.0.12 is the removal of a feature that automatically prioritized and redirected to .onion sites when available. The Tor Project decided to disable this functionality after being notified of a potential fingerprinting vulnerability related to the automatic Onion-Location redirects.
"In an abundance of caution, we have removed the 'prioritize .onion sites when known' option from Tor Browser," stated the release notes. "We are looking further into this issue and will provide timely updates as more research and additional recommendations become available."
Beyond the .onion site prioritization change, Tor Browser 13.0.12 also rebases the application on Firefox 115.9.0esr, a Firefox Extended Support Release that addresses multiple security holes.
Most notably, Firefox 115.9 fixes a high-severity memory corruption bug (CVE-2024-2614) that could potentially allow arbitrary code execution. It also patches an issue where the Windows Error Reporter could be abused as a sandbox escape vector on Windows systems (CVE-2024-2605).
Other high-risk flaws resolved in Firefox 115.9 include a crash in the NSS TLS handshake method (CVE-2024-0743), a JIT code bug on ARM that overwrote return registers (CVE-2024-2607), and multiple integer overflow vulnerabilities leading to out-of-bounds writes (CVE-2024-2608).
Users of Tor Browser on Windows should also be aware of a patch (CVE-2024-2377) that prevents hidden fonts from being automatically added to the system's allow list, a change that could break font rendering for some users.
The Tor Browser team also snuck in a couple of smaller updates, like bumping the Snowflake pluggable transport to version 2.9.2 and adding the Startpage .onion search engine to the built-in provider list.
With threats to online privacy and security steadily increasing, using up-to-date software like the latest Tor Browser is crucial for protecting one's digital safety. Users are advised to update to 13.0.12 immediately to take advantage of the critical security patches.