This article is more than 1 year old
Update Firefox NOW to foil FILE-STEALING vulnerability exploit, warns Mozilla
Ursi contra vulpes
Firefox users have been urged to update to browser version 39.0.3, following the discovery of a vuln that allows an attacker to read and steal sensitive local files on the victim's computer via the browser's PDF reader.
The Firefox exploit, discovered by security researcher Cody Crews, allows an attacker to violate the same origin policy and inject script into a non-privileged part of the browser's built-in PDF Viewer.
Mozilla said that on the morning of 5 August, a user passed the organisation information that showed how the vuln could be exploited.
An advert on an unnamed news site in Russia was serving the exploit, according to Mozilla, and then uploading sensitive pilfered files to a server, apparently located in Ukraine.
Mozilla has now released a security update to fix the security hole.
Additionally, Mozilla noted that the fix was shipped in Firefox ESR 38.1.
All Firefox users are urged to update to Firefox 39.0.3
While the vulnerability does not allow remote code execution, it does enable attackers to inject a JavaScript payload into the local file context. This allows the malefactor to search the machine for, and subsequently upload, sensitive local files.