Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mozilla Patches Firefox Zero-Day Exploited in the Wild

Mozilla updated Firefox to version 39.0.3 on Thursday to address a critical vulnerability that has been exploited in the wild.

Mozilla updated Firefox to version 39.0.3 on Thursday to address a critical vulnerability that has been exploited in the wild.

The company learned of the zero-day flaw on Wednesday morning after being informed by a user that an ad displayed on a Russian news website had been serving an exploit designed to search for sensitive files on the victim’s system and upload them to a remote server.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer,” Mozilla said in a blog post.

The security hole does not affect Firefox for Android and other Mozilla products that don’t contain the PDF Viewer component.

The vulnerability (CVE-2015-4495), reported by researcher Cody Crews, cannot be exploited to execute arbitrary code, but it allows an attacker to inject a JavaScript payload into the local file context. In the attack spotted in the wild, the attacker leveraged the vulnerability to steal local files containing potentially sensitive information.

According to Mozilla, the attacker has been targeting certain types of files hosted on Windows and Linux systems. The exploit used in this attack is not designed to target Apple devices, but the company warns that Mac users are also at risk because the payload can be adapted.

The malware is designed to look for S3 Browser, Apache Subversion, and Filezilla configuration files; website configuration files for eight popular FTP clients; and .purple and Psi+ Jabber account information on Windows systems. On Linux, the exploit steals configuration files such as /etc/passwd; .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys; shell scripts; configuration files for Filezilla, Remmina, and Psi+; and text files whose name contains the strings “access” and “pass.” The stolen data is uploaded to a server located in Ukraine.

Mozilla says it’s surprising that the malware is designed to target developer-related files considering that it has been served on a news websites. However, it’s possible that the exploit was deployed on other types of sites as well.

Advertisement. Scroll to continue reading.

Firefox for Windows and Firefox for Linux users are advised to change passwords and keys found in the files targeted by the attackers. The exploit is designed not to leave any traces on the targeted system.

Mozilla has pointed out that since the exploit was delivered via an advertisement, ad-blocking software, depending on how it was configured, might have mitigated the attack.

The vulnerability has been patched with the release of Firefox 39.0.3 and Firefox ESR 38.1.1. Users are advised to update their installations as soon as possible.

Related: Mozilla Patches Critical Vulnerabilities With Release of Firefox 39

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.