Update Firefox right now to squash file stealing bug
Firefox users are being encouraged to upgrade to the latest version of the browser as soon as possible after the discovery of a serious security flaw in the software. Mozilla was quick to patch the security hole which could result in users' personal files being uploaded to a remote server.
Affecting the Windows and Linux versions of Firefox, the security vulnerability stems from the browser's PDF viewer. It allows for the injection of JavaScript that could be used to locate sensitive files and transfer them to a remote server.
The security hole is marked as critical, but Mozilla's Daniel Veditz assures users that "products that don't contain the PDF Viewer, such as Firefox for Android, are not vulnerable". This is not just a hypothetical problem; instances of the vulnerability have been found out in the wild as described in a security advisory notice:
Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer.
Mozilla has received reports that an exploit based on this vulnerability has been found in the wild.
The company also warns that Windows and Linux users should change passwords and keys associated with certain files and applications. It explains that:
Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with "pass" and "access" in the names, and any shell scripts.
Veditz notes that people who have ad-blocking tools installed may well have been protected against the vulnerability. If you haven't yet updated to Firefox 39.0.3, now is the time to do so.
Photo credit: Evan Lorne / Shutterstock