New Release: Tor Browser 12.5.4

News
1

by richard | September 13, 2023

lead.png1200Ă—675 498 KB

Tor Browser 12.5.4 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox and GeckoView to 102.15.1esr and fixes CVE-2023-4863: Heap buffer overflow in libwebp

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 12.5.3 is:

  • All Platforms
  • Windows + macOS + Linux
    • Updated Firefox to 102.15.1esr
  • Android
    • Updated GeckoView to 102.15.1esr
  • Build System
    • All Platforms
      • Updated Go to 1.20.8
This is a companion discussion topic for the original entry at https://blog.torproject.org/new-release-tor-browser-1254
4 Likes
2

Does anyone know if CVE-2023-4863 has been used to exploit people in the wild or is it just a feasible possibility?

3

This (CVE-2023-4863) pretty much sounds like this (but may be a coincidence):

1 Like
4

Thanks for your response but from what I can understand from the article it says the exploit was delivered through an Apple specific vulnerability in iMessages rather than browser and its practically impossible to defend against since one unknowingly vulnerable app gives a way in. Its pretty worrying to say the least; after Meltdown and Spectre I thought we would have better protection and understanding of defense against Pegasus.

1 Like
5

Probably you are right - the libwebp-vulnerability was reported by “Apple Security Engineering and Architecture (SEAR)” and “The Citizen Lab at The University of Toronto’s Munk School” - combined with the timely correlation, it was my first guess…

But PWNYOURHOME mentioned with moderate confidence does not fit for me - because it was already very old at time of the infection:

1 Like