Firefox exploit found in the wild

**mickstv** · 11-08-15, 09:35 AM

Time to upgrade Firefox to the latest 39.0.3 ............

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload. [Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux.]

The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

Link to Source.

**joezep** · 11-08-15, 06:37 PM

Just checked what version I had and it was 38.0, tried to update and tells me I'm up to date WTF. Went to Majorgeeeks and got the latest version from there. Firefox should lift their game if it takes security seriously

**jwoegerbauer** · 11-08-15, 07:03 PM

On my wife's laptop is Firefox 40 installed, the version specific to Windows 10.

**mickstv** · 11-08-15, 07:12 PM

Originally Posted by joezep

Just checked what version I had and it was 38.0, tried to update and tells me I'm up to date WTF. Went to Majorgeeeks and got the latest version from there. Firefox should lift their game if it takes security seriously

Very strange.

I just checked an old laptop running win 7 it had Firefox 34.0.5 on it and it updated to 39.0.3 without any issues.

**mickstv** · 11-08-15, 07:46 PM

Originally Posted by jwoegerbauer

On my wife's laptop is Firefox 40 installed, the version specific to Windows 10.

40 works on win 7 also.

**jwoegerbauer** · 11-08-15, 09:21 PM

Originally Posted by mickstv

40 works on win 7 also.

OK.

Have expressed it wrong: should have been "recommended for" instead of "specific to".

**allover** · 12-08-15, 08:57 PM

A new Firefox for Win 10

**lsemmens** · 13-08-15, 07:07 PM

I just got notified that new Firefox (40) is ready for download.

**jwoegerbauer** · 13-08-15, 09:55 PM

Originally Posted by lsemmens

I just got notified that new Firefox (40) is ready for download.

Is available for download already since some days ago (if I'm not wrong since 8th August). Installed Firefox 40 some days ago on my wife's Windows 10 laptop: see my previous post.

Just saying ...

IMPORTANT:

Starting with Firefox 40 Mozilla now collects data about the user and how often and on what tiles he has clicked. These data the browser then transfers onto a Mozilla server. The information is stored there along with the IP address of the user up to seven days. After the IP address is deleted, according to Mozilla.

Also Mozilla introduced with Firefox 40 so-called "Suggested Tiles", a controversial feature. Means the browser when opening a new tab, not now displays only tiles with pages that you have already visited. The browser will also make reference to pages that fit thematically to previously visited pages and may contain advertisements.
Mozilla has even explicitly indicated that these proposals can not be filtered out by an 'Ad blocker'.

But you can disable the "Suggested Tiles" feature.

**allover** · 14-08-15, 11:33 AM

Mozilla 41 update just popped up as i was reading this post!!!

**best4less** · 14-08-15, 11:49 AM

Just updated mine just in case they get all my porn files

Thanks Mick

**mickstv** · 15-08-15, 10:02 AM

When you turn off the New Tab Suggestive Tiles feature, new tab's always come up blank which is annoying, but anyway here's a fix for that issue.

Firstly turn off the New Tab Suggestive Tiles feature.

1. Type about:config into the address bar.

2. Search for browser.newtabpage.enabled double click on it to change value from true to false. Now when you open a new tab it will be blank.

To make new tab page open as your home page.

1. Type about:config into the address bar. (only redo this if you left about:config)

2. Search for browser.newtab.url and double click on it.

3. Change from about:newtab to your home page i.e.

Then the next tab you open will always go straight to you home page.