Industry News

New Firefox Zero-Day Vulnerability Nabs Local Files and Leaves No Traces

A new Firefox exploit has been reported as already being used in the wild via aware-serving websites, enabling attackers to collect sensitive local files and upload them to an attacker-controlled server, leaving no trace of the payload’s presence. 

Although the vulnerability does not involve executing arbitrary code on the local machine, it is used to “inject a JavaScript payload into the local file context.”

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer,” wrote Daniel Veditz on the official Mozilla blog. “Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable.”

The vulnerability does apparently affect Windows, Linux and Mac users, but not Android Firefox users. The reported incident, however, seems to only affect Windows and Linux users, although Mac fans could be targeted if the payload were to be slightly manipulated.

“On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients,” wrote Veditz. “On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.”

Those who rely on adware-blocking services to browse without ads may have been safe from the vulnerability, depending on the type of software and filters.

The issue is said to have already been fixed with the new Firefox 39.0.3 and Firefox ESR 38.1.1 versions, but users are still encouraged to change all passwords or keys found in the above-mentioned files to prevent subsequent breaches.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.