On 5th August, Mozilla uncovered that an advertisement shown on a Russian news site came with a Firefox exploit that could steal files from a computer and upload it to a server in Ukraine without the owner’s knowledge.
The next day, 6th August, Mozilla released a security update to fix the vulnerability. Judging by the immediate action, the vulnerability must be serious.
And yes, it is quite serious. The flaw exploits Firefox’s PDF viewer and the JavaScript context to insert a script that will search for and upload certain local files on your machine.
And all you have to do on your part is to open a page containing the exploit and your files will get uploaded to a Ukrainian server.
All Firefox users are being urged to have the security update installed. After the install, you will have Firefox version 39.0.3. if you’re an enterprise owner then patch your Firefox to 38.1.1.
Here’s all you need to know about this Mozilla exploit:
In Firefox, there is an interaction between the mechanisms that enforce JavaScript context separation and Firefox’s PDF viewer. The vulnerability is in this very interaction.
So practically Mozilla products not using the PDF viewer are safe: an example being Firefox for Android.
Now in particular the flaw will not allow any code execution, but if enabled the exploit will inject certain JavaScript into the local file context.
This very action will enable it to search and upload sensitive information on your machine.
Now, all files on your machine are not targeted. Interestingly, it is quite varied. Mostly developer based files are searched for.
If the exploit occurs on a Windows computer, it looks for FTP configuration files, subversions, .purple and Psi+ account information and other account info.
On Linux, the exploit is mostly concerned about global configuration files and user directories. Mac users are not targeted, but are still vulnerable. If attacked, there isn’t nothing much to do.
If you fall a victim, you will most probably have no clue about it. Windows and Linux users with Firefox are urged to change passwords and keys found in the file types mentioned above; if you use them.
People using ad blocks are also safe, but safety depends on the software and the specific filters used by that ad-block software.
Currently, the attack isn’t widespread and has been only visible in certain Russian ad networks. But it’s only a matter of time till the exploit goes viral. So update quickly.
