Firefox Vulnerability Lets Attackers Steal Information; Mozilla Issues Patch

Mozilla is warning users about a vulnerability in its Firefox Web browser that could allow attackers to steal information from their computer. The browser-maker urges users to update Firefox to the latest available version -- v39.0.3 or above - to protect their system from the said vulnerability.

While by default Firefox automatically updates itself, those who have the setting off will have to manually update via the 'About Firefox' setting in the Help tab. Earlier this week, the company was notified by security researcher Cody Crews about a malicious ad on a Russian news portal that was exploiting a vulnerability in Firefox's PDF Viewer, a built-in feature. The exploit seeks sensitive files on the victim's computer and uploads it to a suspicious server reportedly located in Ukraine.

Versions of Firefox that don't support PDF Viewer including Firefox for Android client aren't vulnerable to the exploit. Firefox's Mac client is also not affected. "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the 'same origin policy') and Firefox's PDF Viewer," wrote Mozilla security chief Daniel Veditz.

"The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files."

In the blog post, Veditz also notes that the exploit looks for subversion, s3browser, Firezilla, and libpurple configuration files on the Windows systems. On Linux, the payload checks global configuration files in the /etc directory. It also looks into .bashhistory, .mysqlhistory, .pgsql_history, and .ssh configuration files and keys.

Veditz says that people who use ad-blocking tools might not be affected with the vulnerability either, though it isn't too sure about that. Regardless, you would want to update your Firefox Web browser to the latest version.