Update Your Firefox Browser to Fix a Major Browser Vulnerability, Now!

Mozilla Firefox browser users are being urged to update to the latest version of the open-source browser after a major vulnerability was found with the potential to steal sensitive data from user computers. The latest version of the browser is patched and now immune to the vulnerability.

Mozilla Firefox users on Windows and Linux platforms are being advised to update to the latest version of the browser (ver 39.0.3) due to an exploit being discovered in the wild which “searched for sensitive files and uploaded them to a server that appears to be in Ukraine,” Mozilla announced in a blog post.

The vulnerability allows malicious attackers to implement JavaScript in order to search for, locate and even upload sensitive data from users’ hard drives to servers located in Ukraine.

The Threat of Ad-based Exploits

hackedThe exploit affects only PCs running Windows and Linux presently, although Mozilla security lead Daniel Veditz warned that Mac users are vulnerable and “would not be immune” if a malicious hacker chose to target them by exploiting the same vulnerability. Moreover, the exploit is triggered “from the interaction of the mechanism that enforces JavaScript context separation and Firefox’s PDF Viewer.” In other words, only Firefox browser versions with the built-in PDF plugins and viewer are vulnerable. Other versions such as Firefox for Android, are not.

“The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files,” explained Mozilla publicly in their blog.

The Discovery

The first signs of red flags were raised when an advertisement embedded on a fairly popular Russian news website was siphoning sensitive data using an exploit, as discovered by an advanced Firefox user. The data would remotely be uploaded to a server in the Ukraine quietly, without showing any indication of activity.

“The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed,” noted Daniel Veditz, a security researcher at Mozilla.

Significantly, Firefox users may never realize that they were victims of a breach, according to Mozilla, who had advice for those using the browser.

“The exploit leaves no trace it has been run on the local machine,” Mozilla said. “If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs.”

A Critical Security Advisory Issued by Mozilla

Cody Crews, a security researcher working at Mozilla underlined the significance of the vulnerability when signaling the impact of the threat to be critical, after which Mozilla released a security advisory.

The description of the advisory reads:

“Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim’s computer. Mozilla has received reports that an exploit based on this vulnerability has been found in the wild.”

The affected products include:

  • The Firefox browser.
  • Firefox ESR (Extended Release Channels “intended for groups who deploy and maintain the desktop environment in large organizations.”)
  • Firefox OS. (The official Linux kernel-based operating system already implemented in smartphones, tablets, and smart TVs. The OS is developed by Mozilla and entirely open source.)

The patch was issued not soon after, with the fixes applied in Firefox 39.0.3, Firefox ESR 38.1.1 & Firefox OS 2.2.

Updating Your Firefox Browser

Although Firefox automatically updates in periodic intervals, a manual update is strongly recommended. Here’s how to update, quickly:

  • Look for the “Hamburger” settings menu on the upper right and select the question-mark icon at the bottom of the window that pops open.
  • Now, select ‘About Firefox’ and the browser will instantly look for updates.
  • If you’re already on 39.0.3, you’re all set. Otherwise, good job on the proactive manual update to the latest patched version of the browser!

Images from Shutterstock.

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a master degree, now he combines his passions for writing about internet security and technology. When he is not working, he loves traveling and playing games.