Mozilla Issues Fix For Firefox Zero-Day Bug

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

External PDF viewer?

[maugle]

Since this exploit uses an interaction between javascript and Firefox's built-in PDF viewer, it sounds like this doesn't affect people running NoScript. But what about people who don't use the built-in PDF viewer? e.g., if clicking on a PDF file opens the usual "download/open file" dialog, will the exploit still work?

Re:External PDF viewer?

[phantomfive]

Because it's convenient. Because users like that feature. Those are the reasons.

is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

If enough web links go directly to that type of file, then they might. For the same reasons.

Re:External PDF viewer?

[Lennie]

Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.

If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.

Re:External PDF viewer?

[freeze128]

Firefox, Chrome, and even the new Microsoft Edge have built-in PDF viewers. Perhaps it's because EVERYONE thinks that they can build a better PDF reader than Adobe.

They fixed the wrong bug !

They should have fixed the bug that caused the PDF viewer to be in there in the first place. And the bug that caused it to be on by default.

Re:Open source?

[rsmith-mac]

Nothing is perfect.

Agreed. And this goes especially for browsers, since they're hitting a moving target.

That said, this exploit highlights the fact that Mozilla still hasn't gotten their act together on layered security. Firefox remains the only browser not to run in low integrity mode (i.e. protected mode) on Windows, so while certain plugins like Flash are sandboxed, the greater browser is not. This goes hand in hand with the fact that Firefox currently does not have the ability to run each tab/window in its own process, making it harder to sandbox malicious content, and is why a bad tab can still take down the whole browser. Heck, the UI and the content still run in the same process, making it all the easier for bad content to reach out and touch the rest of the browser and the system.

This vulnerability is an unfortunate reminder that Firefox is badly behind the curve on browser security. For the most part Mozilla is putting out fires by patching exploits, but the work on fixing the underlying issues has been much slower. The fact that in 2015 they still can't match the process isolation abilities of 2009's IE8 is a little embarrassing, and very frustrating.

Mozilla means well, and while no one is perfect they are sadly about the farthest browser vendor from it at the moment.

Patch and don't forget this...

[chasm22]

"The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "

It's taken from the blog about the exploit and doesn't seem to be drawing much attention.