Update fixes vulnerability in Tor anonymisation service
Version 0.1.2.16 of the Tor anonymisation software fixes a security vulnerability which could have allowed remote manipulation of the user's configuration file (torrc). According to the developers, the vulnerability could compromise users' anonymity. Users running most configurations are affected, especially configurations which control Tor via graphical user interfaces such as Vidalia or TorK.
These graphical user interfaces control the local Tor service using Tor Control Protocol (TC), which accepts commands for the local anonymisation service on port 9051. Tor now closes such connections if authentication fails, and allows only one further login attempt. According to the release notes, Tor installations which have the ControlPort option disabled in the torrc file are not affected by this vulnerability. The developers urgently recommend updating to the new version, which is already available for download from the project's website.
A new version of Vidalia graphical user interface bundled with the Tor service is available for Mac OS X. The developers advise Windows users either to wait for a forthcoming Vidalia package or to install the latest version of Tor and the Vidalia interface separately.
See also:
- New Tor version improves security and anonymity, news item by heise Security
- Anonymous networks vulnerable to attacks with fake routing data, news item by heise Security
(mba)