Mozilla on Friday released security updates to fix a zero-day flaw in the Firefox browser.
An exploit that searches for sensitive files and uploads them to a server — possibly somewhere in Ukraine — has surfaced in an ad on a Russian news site, Mozilla reported last week.
The exploit impacts Windows and Linux users. Mac users could be hit by a modified version.
The vulnerability stems from the interaction of Firefox’s PDF Viewer and the mechanism that enforces JavaScript context separation — the “same origin” policy, Mozilla said.
Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable to the exploit.
Firefox users should update to Firefox 39.0.3 or Firefox ESR 38.1.1 as appropriate.
“This smells of a targeted attack,” said Frank Dickson, a research director at Frost & Sullivan.
It’s “an attack against a vulnerability in a browser that one out of 20 people use, and one that’s only been seen in Russia to date,” he told LinuxInsider.
What the Exploit Does
The exploit injects a JavaScript payload into the local file context, which lets it search for and upload potentially sensitive local files.
It looks for developer-focused files, possibly bearing out Dickson’s surmise.
On Windows, it looks for subversion, s3browser, and Filezilla configurations files, as well as purple and Psi+ account information, and site configuration files from eight different popular FTP clients, Mozilla said.
On Linux, the exploit hunts for global configuration files such as /etc/passwd. In all the user directories it can access, it looks for .bash_history, .mysql_history and .pgsql-history.
It also looks in Linux OSes for .ssh configuration files and keys, along with configuration files for remina, Filezilla and PSI+, text files with “pass” and “access” in the names, and any shell scripts, Mozilla said.
The exploit doesn’t leave any trace on local machines, Mozilla said.
Firefox users on Windows and Linux should change any passwords and keys found in the files listed if they use the associated programs.
Users of ad-blocking software may be protected, depending on the software and specific filters they use, Mozilla noted.
The Real Threat
Firefox claimed only 6.6 percent of the global browser market in July, according to NetMarketShare, and it’s been slipping for some time — but that doesn’t mean the exploit’s threat is minimal.
“Firefox may just be the canary in the coal mine,” said Rob Enderle, principal analyst at the Enderle Group.
“Just because Firefox reported it doesn’t mean a similar exploit with modifications might not work on Internet Explorer or Chrome, given the common elements among browsers,” he told LinuxInsider.
The discovery “looks accidental, not programmatic, which means it could have gone undetected for some time elsewhere,” Enderle pointed out.
The hack could be “an early test of something more dangerous that hasn’t been finished,” noted Richard Blech, CEO and cofounder of Secure Channels.
Another possibility is that it might have been “a random thing put up by a hacker who isn’t up to date on the latest platforms — a part-timer, if you will,” he told LinuxInsider.
Of all the major browsers, Microsoft’s Edge, available in Windows 10, is probably the most secure now, said Enderle, “both because it was designed to be and because it isn’t specifically targeted yet that we know of.”
Mozilla’s Response
Mozilla was unusually swift in putting out a patch for the flaw.
“Bravo!” Frost’s Dickson said. “That is tremendous. Often, we measure responses in months, not weeks or even days. This is awesome.”
However, the fix might have been an easy one, and “it would not be fair to hold others to the standard set by Mozilla,” he said.
For things like this, “you really want to look at whether the attacker got what they were targeting,” Enderle pointed out. “If they did, it doesn’t matter how fast the response was.”
It’s not clear how long the exploit had been in the wild before it was detected and Mozilla was notified, he added, “and that’s what matters most.”