Mozilla published a blog post on Friday, detailing a Firefox browser exploit that is in the wild right now. The exploit can search for and upload files from your computer. The good news is there’s a fix, and all you need to do is update your Firefox browser to the latest version.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
The exploit, which reportedly makes use of a server in the Ukraine, injects javascript to search and possibly upload files from a user’s computer. This all happens without the user ever noticing anything has happened.
On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for.bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.
If you’re running Firefox, be sure to update to version 39.0.3 immediately. By default, Firefox is et to update itself automatically, but you can also update it by clicking “About Firefox” in the Firefox menu. If there is an update available, Firefox will begin downloading it immediately, When the updates are ready to be applied, you’ll see a button to click to restart and update the browser.
You can also download the updated version of Firefox from mozilla.org.