Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Issues Fix For Firefox Zero-Day Bug

Posted by samzenpus on from the the-fix-is-in dept.

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

5 of 115 comments (clear)

  1. External PDF viewer? by maugle · · Score: 3, Interesting

    Since this exploit uses an interaction between javascript and Firefox's built-in PDF viewer, it sounds like this doesn't affect people running NoScript. But what about people who don't use the built-in PDF viewer? e.g., if clicking on a PDF file opens the usual "download/open file" dialog, will the exploit still work?

    1. Re:External PDF viewer? by phantomfive · · Score: 3, Interesting
      Because it's convenient. Because users like that feature. Those are the reasons.

      is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

      If enough web links go directly to that type of file, then they might. For the same reasons.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:External PDF viewer? by Lennie · · Score: 3, Interesting

      Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.

      If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.

      --
      New things are always on the horizon
    3. Re:External PDF viewer? by freeze128 · · Score: 4, Interesting

      Firefox, Chrome, and even the new Microsoft Edge have built-in PDF viewers. Perhaps it's because EVERYONE thinks that they can build a better PDF reader than Adobe.

  2. Patch and don't forget this... by chasm22 · · Score: 3, Interesting

    "The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "

    It's taken from the blog about the exploit and doesn't seem to be drawing much attention.