This is a critical security announcement.
This vulnerability was fixed in Firefox 17.0.7 ESR . The following versions of the Tor Browser Bundle include this fixed version: 2.3.25-10 (released June 26 2013)  2.4.15-alpha-1 (released June 26 2013)  2.4.15-beta-1 (released July 8 2013)  3.0alpha2 (released June 30 2013) 
Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions as described below.
WHO IS AFFECTED: In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable. But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: )
To be clear, while the Firefox vulnerability is cross-platform, the attack code is Windows-specific. It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack.
IMPACT: The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit . The attack appears to have been injected into (or by) various Tor hidden services , and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.
We don't currently believe that the attack modifies anything on the victim computer.
WHAT TO DO: First, be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack.
Second, be sure to keep up-to-date in the future. Tor Browser Bundle automatically checks whether it's out of date, and notifies you on its homepage when you need to upgrade. Recent versions also add a flashing exclamation point over the Tor onion icon. We also post about new versions on the Tor blog:
Fourth, consider switching to a "live system" approach like Tails . Really, switching away from Windows is probably a good security move for many reasons.