A new major vulnerability plaguing Firefox has Mozilla warning users to update the Web browser as soon as possible. The company is urging all Firefox users to update to Firefox 39.0.3 to fix the vulnerability and protect themselves from an exploit that has been found in the wild.
The browser is set to automatically update by default, but users should manually check to ensure that the update has indeed gone through.
Mozilla said it first learned about the bug Wednesday morning when a Firefox user informed the company that an advertisement on a news Web site in Russia was offering an exploit for the browser that searched for specific, sensitive files, before uploading them to a server that appeared to be located in the Ukraine.
The vulnerability allows hackers to violate the browser’s same origin policy and inject script into a non-privileged part of Firefox’s built-in PDF viewer. Same origin is a security practice in which a Web browser allows scripts running from one Web page to access data from a second one, if both pages are from the same origin. The bug allows an attacker to read and steal sensitive local files on the victim’s computer.
The exploit appears to be designed to search for files with specific relevance to software developers, according to Mozilla. “The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though, of course, we don’t know where else the malicious ad might have been deployed,” Mozilla noted. Ad-blocking software may have protected some machines, depending on which specific software and filters were used, the company added.
Even more troubling, Mozilla reported that the exploit leaves no trace of itself on the local machine, making it difficult for users to know if their files had been compromised. Mozilla urged users running Firefox on Windows and Linux systems to change any passwords and keys for programs targeted by the exploit. Mac users were not vulnerable to the particular exploit found in the wild, but would be vulnerable if another hacker designed a payload targeting Macs.
Firefox users on Windows machines should change the passwords for the following files: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.