Well yes, but the fact that it was already patched in the next Tails release, and that was the reason they pulled the trigger when they did, makes even that concern less of a practical problem. It was basically going to get fixed in short order no matter what they did.
Since they never released the exploit, in reality we have no way of verifying this is actually true. It very well could be the case Tails still has this vulnerability.
In my opinion, Hernandez screwed up by not appreciating the risk profiles for Tails and Whonix. Tails is a LiveOS, which doesn't leave traces in RAM or on disk. Whonix is a pair of VMs, one with the Tor process, and the other with user apps. Using Whonix, exploits like this are impossible, because the apps VM has no public IP address, and can hit the Internet only via Tor.
True. However, such high-value targets would be isolating the Tor process and apps at the hardware level. It's over my head, but I can imagine elements from Tinfoil Chat and Qubes Air.
And yes, vulnerabilities in Tor have been exploited. So it's prudent to hit Tor via nested VPN chains, just in case.
Could you use a ring of VPSs spawning independent VM sessions, which are randomly connected to as needed, and puppeted by scripts or ML, used by others in the meantime, and torn down randomly and on a schedule. Cloud hop in the noise.
