Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mozilla Patches Firefox Zero-Day Exploited in the Wild

Mozilla updated Firefox to version 39.0.3 on Thursday to address a critical vulnerability that has been exploited in the wild.

Mozilla updated Firefox to version 39.0.3 on Thursday to address a critical vulnerability that has been exploited in the wild.

The company learned of the zero-day flaw on Wednesday morning after being informed by a user that an ad displayed on a Russian news website had been serving an exploit designed to search for sensitive files on the victim’s system and upload them to a remote server.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer,” Mozilla said in a blog post.

The security hole does not affect Firefox for Android and other Mozilla products that don’t contain the PDF Viewer component.

The vulnerability (CVE-2015-4495), reported by researcher Cody Crews, cannot be exploited to execute arbitrary code, but it allows an attacker to inject a JavaScript payload into the local file context. In the attack spotted in the wild, the attacker leveraged the vulnerability to steal local files containing potentially sensitive information.

According to Mozilla, the attacker has been targeting certain types of files hosted on Windows and Linux systems. The exploit used in this attack is not designed to target Apple devices, but the company warns that Mac users are also at risk because the payload can be adapted.

Advertisement. Scroll to continue reading.

The malware is designed to look for S3 Browser, Apache Subversion, and Filezilla configuration files; website configuration files for eight popular FTP clients; and .purple and Psi+ Jabber account information on Windows systems. On Linux, the exploit steals configuration files such as /etc/passwd; .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys; shell scripts; configuration files for Filezilla, Remmina, and Psi+; and text files whose name contains the strings “access” and “pass.” The stolen data is uploaded to a server located in Ukraine.

Mozilla says it’s surprising that the malware is designed to target developer-related files considering that it has been served on a news websites. However, it’s possible that the exploit was deployed on other types of sites as well.

Firefox for Windows and Firefox for Linux users are advised to change passwords and keys found in the files targeted by the attackers. The exploit is designed not to leave any traces on the targeted system.

Mozilla has pointed out that since the exploit was delivered via an advertisement, ad-blocking software, depending on how it was configured, might have mitigated the attack.

The vulnerability has been patched with the release of Firefox 39.0.3 and Firefox ESR 38.1.1. Users are advised to update their installations as soon as possible.

Related: Mozilla Patches Critical Vulnerabilities With Release of Firefox 39

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.