A new Firefox exploit has been reported as already being used in the wild via aware-serving websites, enabling attackers to collect sensitive local files and upload them to an attacker-controlled server, leaving no trace of the payload’s presence.
The vulnerability does apparently affect Windows, Linux and Mac users, but not Android Firefox users. The reported incident, however, seems to only affect Windows and Linux users, although Mac fans could be targeted if the payload were to be slightly manipulated.
“On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients,” wrote Veditz. “On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.”
Those who rely on adware-blocking services to browse without ads may have been safe from the vulnerability, depending on the type of software and filters.
The issue is said to have already been fixed with the new Firefox 39.0.3 and Firefox ESR 38.1.1 versions, but users are still encouraged to change all passwords or keys found in the above-mentioned files to prevent subsequent breaches.