Mozilla releases patch for exploit in Firefox PDF viewer

A vulnerability in Firefox’s PDF viewer created a critical vulnerability in Mozilla’s web browser. The leak was exploited through an advertisement on a Russian site. It sent sensitive information to a server in Ukraine. Mozilla has since released a patch.

The vulnerability was spotted on August 5, after which Mozilla released a security update on Thursday. For most users, this update will be installed automatically and the version number 39.0.3 will now appear on the ‘About Firefox’ screen. Extended support release 38 has also received the update and now has 38.1.1.

The zero-day vulnerability involved sending sensitive information on the user’s computer to a remote server in Ukraine. This sounds quite logical, but the attack was very specific to files that are widely used by developers. The latter surprised Mozilla, because the site where the exploit was being abused was aimed at the general public. It is not known whether the exploit has also been used on other sites.

The exploit specifically searched Windows for subversion, s3browser and Filezilla configuration files, .purple and Psi+ account information, and configuration files from eight other popular FTP clients. On Linux, the exploit looked for configuration files like /etc/passwd and then in all directories or user files it could enter, such as .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remmina, Filezilla, and Psi+ and several text files with ‘pass’ and ‘access’ in the name. Mac users were not a target in the attack, but would not have been immune if someone had included a different payload with the exploit.

The last important feature of the exploit is that it leaves no trace on the local machine. Users of Firefox on Windows or Linux are therefore advised to change the passwords and keys of the above files if they use one of the associated programs. People who use ad blockers may have been protected, but that depends on the filters used.