Mozilla Patches Firefox Zero-Day Exploited in the Wild

Mozilla updated Firefox to version 39.0.3 on Thursday to address a critical vulnerability that has been exploited in the wild.

The company learned of the zero-day flaw on Wednesday morning after being informed by a user that an ad displayed on a Russian news website had been serving an exploit designed to search for sensitive files on the victim’s system and upload them to a remote server.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer,” Mozilla said in a blog post.

The security hole does not affect Firefox for Android and other Mozilla products that don’t contain the PDF Viewer component.

The vulnerability (CVE-2015-4495), reported by researcher Cody Crews, cannot be exploited to execute arbitrary code, but it allows an attacker to inject a JavaScript payload into the local file context. In the attack spotted in the wild, the attacker leveraged the vulnerability to steal local files containing potentially sensitive information.

According to Mozilla, the attacker has been targeting certain types of files hosted on Windows and Linux systems. The exploit used in this attack is not designed to target Apple devices, but the company warns that Mac users are also at risk because the payload can be adapted.

The malware is designed to look for S3 Browser, Apache Subversion, and Filezilla configuration files; website configuration files for eight popular FTP clients; and .purple and Psi+ Jabber account information on Windows systems. On Linux, the exploit steals configuration files such as /etc/passwd; .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys; shell scripts; configuration files for Filezilla, Remmina, and Psi+; and text files whose name contains the strings “access” and “pass.” The stolen data is uploaded to a server located in Ukraine.

Mozilla says it’s surprising that the malware is designed to target developer-related files considering that it has been served on a news websites. However, it’s possible that the exploit was deployed on other types of sites as well.

Firefox for Windows and Firefox for Linux users are advised to change passwords and keys found in the files targeted by the attackers. The exploit is designed not to leave any traces on the targeted system.

Mozilla has pointed out that since the exploit was delivered via an advertisement, ad-blocking software, depending on how it was configured, might have mitigated the attack.

The vulnerability has been patched with the release of Firefox 39.0.3 and Firefox ESR 38.1.1. Users are advised to update their installations as soon as possible.

Related: Mozilla Patches Critical Vulnerabilities With Release of Firefox 39