QuoVadis Posted August 10, 2015 Report Posted August 10, 2015 SURSAFirefox users have been urged to update to browser version 39.0.3, following the discovery of a vuln that allows an attacker to read and steal sensitive local files on the victim's computer via the browser's PDF reader. The Firefox exploit, discovered by security researcher Cody Crews, allows an attacker to violate the same origin policy and inject script into a non-privileged part of the browser's built-in PDF Viewer. Mozilla said that on the morning of 5 August, a user passed the organisation information that showed how the vuln could be exploited. An advert on an unnamed news site in Russia was serving the exploit, according to Mozilla, and then uploading sensitive pilfered files to a server, apparently located in Ukraine.Mozilla has now released a security update to fix the security hole. Additionally, Mozilla noted that the fix was shipped in Firefox ESR 38.1. While the vulnerability does not allow remote code execution, it does enable attackers to inject a JavaScript payload into the local file context. This allows the malefactor to search the machine for, and subsequently upload, sensitive local files.Mozilla said that the vuln had been produced by the interaction of the mechanism that enforces JavaScript context separation (the "same origin policy") and Firefox's PDF Viewer. Mozilla products which don't contain the PDF Viewer, such as Firefox for Android, remain unaffected by the vuln. Mozilla stated: The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. According to Mozilla: On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. It's also worth noting that, while Mac users were not targeted by this particular exploit, they would not be immune to the vulnerability should cybercriminals create a different payload.Mozilla said: The exploit leaves no trace if it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs.People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used. Long story, short: Firefox fans should update their browser as soon as possible. Quote