Zero Day: Firefox Fixed

Monday, August 10, 2015 @ 12:08 PM gHale

Mozilla updated Firefox to version 39.0.3 to fix a critical vulnerability undergoing attacks.

The company learned of the Zero Day Wednesday morning after a user let them know an ad displayed on a Russian news website had been serving an exploit designed to search for sensitive files on the victim’s system and upload them to a remote server.

Disabling Chrome Extensions
Row Hammer Exploitable via JavaScript
Security Appliance Holes Fixed
Red Hat Patches Vulnerabilities

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer,” Mozilla said in a blog post.

The security hole does not affect Firefox for Android and other Mozilla products that don’t contain the PDF Viewer component. vulnerability, reported by researcher Cody Crews, is not able to execute arbitrary code, but it allows an attacker to inject a JavaScript payload into the local file context. In one attack, the attacker leveraged the vulnerability to steal local files containing potentially sensitive information.

The attacker has been targeting certain types of files hosted on Windows and Linux systems, Mozilla officials said. The exploit used in this attack does not target Apple devices, but the company warns Mac users are also at risk because a bad guy could adapt the payload.

The malware look for S3 Browser, Apache Subversion, and Filezilla configuration files; website configuration files for eight popular FTP clients; and .purple and Psi+ Jabber account information on Windows systems. On Linux, the exploit steals configuration files such as /etc/passwd; .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys; shell scripts; configuration files for Filezilla, Remmina, and Psi+; and text files whose name contains the strings “access” and “pass.” The stolen data uploads to a server located in Ukraine.

Mozilla said it is surprising the malware targets developer-related files considering it is on a news websites. However, it’s possible the exploit went out on other sites as well.

Firefox for Windows and Firefox for Linux users should change passwords and keys found in the files targeted by the attackers. The exploit does not leave any traces on the targeted system.

Mozilla patched the vulnerability with the release of Firefox 39.0.3 and Firefox ESR 38.1.1. Users should update update their installations as soon as possible.