Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Issues Fix For Firefox Zero-Day Bug

Posted by samzenpus on from the the-fix-is-in dept.

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

65 of 115 comments (clear)

  1. External PDF viewer? by maugle · · Score: 3, Interesting

    Since this exploit uses an interaction between javascript and Firefox's built-in PDF viewer, it sounds like this doesn't affect people running NoScript. But what about people who don't use the built-in PDF viewer? e.g., if clicking on a PDF file opens the usual "download/open file" dialog, will the exploit still work?

    1. Re:External PDF viewer? by U2xhc2hkb3QgU3Vja3M · · Score: 5, Insightful

      Why does a Web browser have a built-in PDF viewer in the first place?

      A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

    2. Re:External PDF viewer? by Anonymous Coward · · Score: 1

      Because Chrome has one.

    3. Re:External PDF viewer? by Anonymous Coward · · Score: 1

      Why does Chrome have one? It's a web browser. The same questions apply.

    4. Re:External PDF viewer? by 0123456 · · Score: 4, Funny

      Why does Chrome have one? It's a web browser. The same questions apply.

      Hipsters.

    5. Re:External PDF viewer? by mlts · · Score: 1, Informative

      It is a tough choice. Build in your own PDF viewer, or use an existing one that pops up security holes now and then. In general, the built in ones have far fewer features, so there are fewer security holes.

      Chrome is better at this because it does more compartmentalization than Firefox. Firefox runs plugins in a separate process, but that is about the extent of the isolation they get, while Chrome runs everything in separate tasks, and you can even kill them in the browser.

      The only real long term solution is to have the OS cooperate with the browser, and completely isolate each individual browser tab (not just a lower security context, but filesystem and other space), so a rogue process is well isolated. That, and focus on not requiring third-party programs for Web content.

    6. Re:External PDF viewer? by steelfood · · Score: 1

      From hacker's news, it seems this exploit is in PDF.js. If you're not running PDF.js, there's no security hole.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    7. Re:External PDF viewer? by Lunix+Nutcase · · Score: 1

      Who do you trust more to create software with less security holes: Google or Adobe?

    8. Re:External PDF viewer? by Lunix+Nutcase · · Score: 1

      Sorry, was responding to wrong person but you can just switch Google with Mozilla. Mozilla has their share of software issues, for sure, but nothing even remotely bad as Adobe's track record.

    9. Re:External PDF viewer? by parkinglot777 · · Score: 1

      Why does Chrome have one? It's a web browser. The same questions apply.

      Then go back and ask Firefox?

    10. Re:External PDF viewer? by phantomfive · · Score: 3, Interesting
      Because it's convenient. Because users like that feature. Those are the reasons.

      is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

      If enough web links go directly to that type of file, then they might. For the same reasons.

      --
      "First they came for the slanderers and i said nothing."
    11. Re:External PDF viewer? by Lennie · · Score: 3, Interesting

      Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.

      If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.

      --
      New things are always on the horizon
    12. Re:External PDF viewer? by ArchieBunker · · Score: 1

      And Chrome's version works a million times better/faster.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    13. Re:External PDF viewer? by simplypeachy · · Score: 2

      Or set your browser to download (or at least prompt) the PDF instead of automatically executing the PDF with any software. That way, a PDF you choose to look at can still work fine, but a drive-by exploit attempt will have another speedbump to get past.

    14. Re:External PDF viewer? by freeze128 · · Score: 4, Interesting

      Firefox, Chrome, and even the new Microsoft Edge have built-in PDF viewers. Perhaps it's because EVERYONE thinks that they can build a better PDF reader than Adobe.

    15. Re:External PDF viewer? by westlake · · Score: 1

      That, and focus on not requiring third-party programs for Web content.

      But will web content ever remain static long enough for browser standards to keep pace? Mozilla tied itself up in knots over H.264 long after it had eclipsed all other contenders for HD video support.

    16. Re:External PDF viewer? by Spamalope · · Score: 4, Funny

      You'd have to work very hard to build one with a greater variety and number of security problems.

    17. Re: External PDF viewer? by tepples · · Score: 1

      Which PDF reader publisher do you trust more than Mozilla and Adobe?

    18. Re:External PDF viewer? by tepples · · Score: 3, Informative

      Why does a Web browser have a built-in PDF viewer in the first place?

      Because just as text/html is a commonly used media type on the web, so is application/pdf. Having a PDF viewer written in JavaScript contributes to the Downloads folder not being quite as littered. And because not only is JavaScript inherently less subject to accidental "undefined behavior" than the C++ in which I assume Adobe implemented its Reader, but also has Mozilla shown itself to be more responsive than Adobe to security issues. That's also why Mozilla has been working on Shumway, its SWF player.

      Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

      Anyone who wants to write a JavaScript viewer for those formats is free to do so.

    19. Re:External PDF viewer? by ShaunC · · Score: 5, Informative

      You can go to about:config and set the value for pdfjs.disabled to true, or create that setting (boolean type) if it doesn't exist. That'll cause Firefox to pop up a download dialog when you click a PDF link, and you can use something like Sumatra to open the file.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    20. Re:External PDF viewer? by Darinbob · · Score: 1

      Hipsters with keys to the family car.

    21. Re:External PDF viewer? by Darinbob · · Score: 2

      Why can't Adobe write a PDF view that just does the job simply and without the feature overload that leads to the most bug ridden software since the Microsoft Butterfly 98 Home Edition?

    22. Re:External PDF viewer? by gl4ss · · Score: 1

      my guess: pdf.js runs on different permission set since it's not downloaded over the web.

      --
      world was created 5 seconds before this post as it is.
    23. Re:External PDF viewer? by bedouin · · Score: 1

      The first browser that allowed PDFs to be displayed inline without a plugin was Safari since its beta stages. That's because OS X has had the ability to display PDFs built in to it since its Nextstep days. So, it all stems from a desire to duplicate a feature in Safari that was actually a native feature of OS X . . .

    24. Re:External PDF viewer? by tepples · · Score: 1

      So now instead of just having to worry about bugs in Firefox's HTML rendering engine and, say, Evince (or whatever other PDF viewer you use to open saved PDFs) you now also have to worry about bugs in Firefox's PDF rendering code.

      Because Firefox's PDF rendering code is in JavaScript, a memory-safe language, entire classes of bugs that might affect a standalone PDF reader like Evince or Adobe or Foxit or Sumatra are not possible. For example, JavaScript arrays are always bounds checked, meaning there's no such thing as a buffer overflow.

    25. Re:External PDF viewer? by adhdengineer · · Score: 1

      because for some ungodly reason documents that people put online are sometimes in PDF format and it's nice to be able to open them with just a click on the link rather than the download/open another app method.

  2. Re:Open source? by Anonymous Coward · · Score: 1, Insightful

    Nothing is perfect. Open or closed source. What you should focus on is the manner and speed of a company's efforts to rectify any issues.

  3. Re:Open source? by MagickalMyst · · Score: 1

    "I thought the consensus here was that open source software was secure?"

    Fundamentally it is more secure, but it depends on how secure the user makes it.

    You can buy the best locks for your house and bullet proof windows, but if you don't lock the door, leave the windows open and leave the spare key in plain view on the patio it really doesn't matter how secure the components are. If they are not installed or configured properly then security will be lax or non-existent.

    --
    Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
  4. Re:Open source? by mlts · · Score: 1

    Because everything, across the board, is being slammed hard, be it BIOS/EFI firmware, holes like F0 0F in the CPU, open source items, closed source items, IoT devices, you name it... the amount of attacks have risen in number and sophistication by an extreme.

  5. Re:People still use Firefox? by U2xhc2hkb3QgU3Vja3M · · Score: 4, Informative

    On Windows, your choices are:

    • Firefox, the bloated browser with memory leaks who forgot the whole point of its creation
    • Chrome, the fast browser with built-in spyware from the Do-no-evil-but-let's-datamine-the-shit-out-of-our-users-anyway company
    • Edge, the browser made by the company with possibly the worst security history on the planet
    • Opera, the company that dropped its own engine and is now just basically a Chrome clone

    edit: Slashdot lets us use HTML in our posts but makes bullets invisible... way to go, guys.

  6. Re:Open source? by jimtheowl · · Score: 1

    Not anymore.
    Those people have moved on to soylentnews.org

  7. Re:People still use Firefox? by Lunix+Nutcase · · Score: 1

    This list isn't even exhaustive and it's far more than the 4 choices you claim are all that exist.

  8. Re:Debian Stretch Vunerable by bigfinger76 · · Score: 1

    Care to expand on that?

  9. Re:People still use Firefox? by Lunix+Nutcase · · Score: 3, Insightful

    It's disabled by default.

    Integrated PDF reader. The code for this is still included for emergencies (i.e. when you need to read a PDF but don't have access to a reader) but disabled by default - you are always recommended to use a separate, up-to-date document reader for PDF files (as an external program, not as a browser plugin) for your own security, and to have documents displayed in their fully intended format instead of a stripped-down display in an in-browser reader.

    https://www.palemoon.org/techn...

  10. Re:People still use Firefox? by Anonymous Coward · · Score: 1

    cool, .php3

    I'm really going to trust that list

  11. Re:People still use Firefox? by Lunix+Nutcase · · Score: 1

    Cool story, brah.

  12. I told you PDF in browser is a bad idea by Anonymous Coward · · Score: 1

    I told you I told you I told you. Seriously go back to when it was announced on slashdot and i very specifically said this will be nothing but an additional attack vector.
    As soon as i updated to the version which had it i immediately set it to never activate knowing this would happen eventually and have never used it since.

  13. Re:People still use Firefox? by savuporo · · Score: 1

    Links, lynx, w3m still work on cygwin.

    --
    http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
  14. Thank You Mozilla!! by zenlessyank · · Score: 1, Offtopic

    Without Firefox, I don't think I could actually ENJOY the internet anymore. No other browser allows you to tame the net like Firefox and the world of plugins that have been written.

  15. Re:People still use Firefox? by Luthair · · Score: 3, Informative

    Firefox actually uses less memory than the others

  16. Re:Open source? by tnk1 · · Score: 2, Insightful

    Well, open source code is no more secure than closed source. That isn't a function of the source being open or closed. You can have poorly written open source software and excellent closed source stuff.

    The value of open source is the assumption that more eyes on an issue allows inevitable bugs to be found, and for potential users to inspect what they are running. Closed source would have to rely on the number of people authorized to view the code, and the customer will not be able to view the code, just the resulting functionality to evaluate its security.

    In reality, however, there is no guarantee that just because there is open source, that anyone will actually *look* at that code and even less assurance that someone who is qualified to read the code will have done so. So, a distinction needs to be made between open source software with a large and active community, and open sourced software that does not have an active community. You still get a *potential* advantage from having the source to look at, but it is only a potential advantage without the community. A closed source application could overcome those potential advantages by ensuring that they have excellent customer support, and are able to insure or indemnify customers against bad results.

    In any event, that is why you should never say open sourced software is simply "more secure". It isn't. And some of it is complete shit. What it does provide is the ability for a user/customer to be able to discover any issues for themselves, but *someone* has to go that extra step.

  17. Open source vs. exploits by Alwin+Henseler · · Score: 1

    Open source just lowers the bar for others to both contribute to this, and to potentially take advantage of bugs.

    You don't need source code to take advantage of bugs. Or even discover them. Almost always you do need source code to fix bugs, though.

    So that would be a good argument (one of many!) for why someone would prefer to use open source software. But how much that helps with bug-fixing, depends very much on each project's regular maintainers ("upstream").

  18. Re:Question by Lunix+Nutcase · · Score: 1

    As long as the PDF reader is disabled, no.

  19. Re:People still use Firefox? by phantomfive · · Score: 1

    Firefox, the bloated browser with memory leaks

    Note: the memory leaks are mostly fixed by now.

    --
    "First they came for the slanderers and i said nothing."
  20. Re:Open source? by rsmith-mac · · Score: 2, Interesting

    Nothing is perfect.

    Agreed. And this goes especially for browsers, since they're hitting a moving target.

    That said, this exploit highlights the fact that Mozilla still hasn't gotten their act together on layered security. Firefox remains the only browser not to run in low integrity mode (i.e. protected mode) on Windows, so while certain plugins like Flash are sandboxed, the greater browser is not. This goes hand in hand with the fact that Firefox currently does not have the ability to run each tab/window in its own process, making it harder to sandbox malicious content, and is why a bad tab can still take down the whole browser. Heck, the UI and the content still run in the same process, making it all the easier for bad content to reach out and touch the rest of the browser and the system.

    This vulnerability is an unfortunate reminder that Firefox is badly behind the curve on browser security. For the most part Mozilla is putting out fires by patching exploits, but the work on fixing the underlying issues has been much slower. The fact that in 2015 they still can't match the process isolation abilities of 2009's IE8 is a little embarrassing, and very frustrating.

    Mozilla means well, and while no one is perfect they are sadly about the farthest browser vendor from it at the moment.

  21. Re:Open source? by hyperar · · Score: 1

    Yes, that's why there are no few years old bugs, right?, Sadly, the reality is other, whether you like it or not.

  22. Re:Commendably swift action by Mozilla by chasm22 · · Score: 1

    Is this the real person that divulged it? I ask because I can't quite figure out why we have this blog post https://blog.mozilla.org/secur... .
    It backs up the version you report.

    However, if you go to this page https://www.mozilla.org/en-US/... you will find that they are giving credit to an entirely different person. A security researcher named Cody Crews.

    It's interesting because everyone is giving Mozilla a big slap on the back for acting so fast, yet the fact of the matter is if MSFA 2015-78 is to be believed, we actually don't have the timeline between when it was first reported until it was patched. In this scenario, all we have is the timeline between the time it was found in the wild until it was patched. That would leave me asking this; Did Mozilla put off the patch until they discovered it was in the wild already?

  23. Re:Firefox about shows 31.8.0 as latest by bigredbob · · Score: 1

    I have the same question - I wonder if the post should have read 31.8.1, and being ESR, the QA is just taking longer

  24. Patch and don't forget this... by chasm22 · · Score: 3, Interesting

    "The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "

    It's taken from the blog about the exploit and doesn't seem to be drawing much attention.

  25. Re:People still use Firefox? by imac.usr · · Score: 1

    You left out Safari, built by the same team that brought you iTunes for Windows so you know it's quality!

    --
    I use Macs for work, Linux for education, and Windows for cardplaying.
  26. Generic FUD by Schiller555 · · Score: 1

    ...from the propaganda specialists hired by some big corporation.

  27. Yeah Jeffrey Ir Rational by Schiller555 · · Score: 1

    It would be much better folks ran Adobe Reader. NOOOT !

  28. Really ? by Schiller555 · · Score: 1

    Now, what would people then use to view PDFs ? One of these commercialware PDF viewers, bug-ridden and with an infinite supply of zero days ? Or would they use libpoppler, chock-full of nasty C constructs like "void*" instead of proper generic programming ? Besides libpoppler and the commercialware dreck there are very few PDF renderers. Maybe you take the time to research the situation and maybe you will figure Mozilla is actually one of the more secure alternatives when it comes to renderers.
    Having said that, generally cyberspace could be made much, much more secure. JavaScript and C, being often used in a shitty-typed way are both major security risks. PHP is even worse, for similar reasons.

    The age of Algol, Burroughs, ELBRUS, ICL was probably more secure than the craptastic, marketing-driven IT world we have since Unix and C.

    And no, not a mainframe guy, I grew up with C and HP Unix, but my intelligence allowed me to question my upbringing, so to speak.

    Can we have "computer system archeology" in order to learn for a better future ???

  29. Re:People still use Firefox? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    Actually Safari and iTunes on OS X work fine, thank you very much.

  30. Re:Debian Stretch Vunerable by bigfinger76 · · Score: 1

    I didn't think so.

  31. V39.0, no updates available by GNious · · Score: 1

    Just checked, my Firefox says it is versoin 39.0 - no third number (39.0.3), and the application itself says it is "up to date".
    Would think that they'd include the full version-number in the About box (the place they say to go to check for updates), just so users can be 100% certain they are using the right one :/

    1. Re:V39.0, no updates available by twosat · · Score: 1

      Just did the same, with the same result.

    2. Re:V39.0, no updates available by twosat · · Score: 1

      Further to my post, a message balloon popped up about an hour ago saying that the update was available. I tried the same thing with the same result as before. Then, I thought that maybe it was something to do with me running as a Limited User, so I right-clicked the Firefox icon and chose the "Run as administrator" option. I logged in, Firefox promptly started up and I successfully updated from there.

  32. Re:Open source? by JustAnotherOldGuy · · Score: 1

    Free Software does tend to be based on more secure designs.

    Yes, I'd say that's generally the case. I was responding more to his flat, blanket claim that "open source software was secure", which implies that open source software has no vulnerabilities, period. His comment was just a bit too trollish in my opinion.

    On the other hand, pretty much everything is better than the market leader monopoly-ware product. This pretty much the way it's always been.

    Some is, some isn't. Some OS applications are so much better than the commercial offerings that I often wonder how the commercial companies manage to stay in business. At the same time, there are a fair number of large OS projects that can only be described as blobs of poorly-written crap that simply don't work.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  33. Your're not up-to-date; the "application" lied by SpammersAreScum · · Score: 1

    There does appear to be a problem with the manual update set up. I ended up proceeding as if I were doing a fresh install: go to https://www.mozilla.org/en-US/... to download the installer and run it. When you do, and restart Firefox, About will in fact say 39.0,3.

  34. Re:People still use Firefox? by rev0lt · · Score: 2

    Unless you're one of the users running into those mysterious "memory leaks" that nobody can replicate once they file an actual bug

    I stopped using Firefox a couple of years ago because of this. They're not mysterious, they were real. Try opening a reasonable amount of tabs (50-100), and leave the browser open for a day or two, and you'll probably be able to reproduce it.

  35. Re:Open source? by rsmith-mac · · Score: 1

    Counter-point: Google Chrome managed multiple processes and isolation on multiple platforms, including Windows XP, something not even Microsoft did.

  36. Re:People still use Firefox? by KGIII · · Score: 1

    Are you sure that 50 to 100 is actually a reasonable number of tabs to open? I have some blisteringly fast computers with absolutely retarded amounts of RAM and I still would find that many tabs unreasonable.

    --
    "So long and thanks for all the fish."
  37. Re:People still use Firefox? by rev0lt · · Score: 1

    I actually have currently probably > 200 tabs open in my 4 or 5 Chrome windows on a 2-year old i7 with 8GB of RAM without any major issues. The fact that I only had problems with Firefox is also a good clue it's not the number of tabs (had also used Opera with the same kind of load without major issues)

  38. Re:People still use Firefox? by KGIII · · Score: 1

    Personally, I can not fathom having that many tabs open. I can think of no case where that would help me. Also, I am an Opera user almost exclusively. I have been since it was pay-ware. I did use and donated (I seem to recall they put my name in a newspaper but I forget which one) Firefox but they have gone downhill. Now, when I install Linux, I use Firefox like I would use IE. I use it just long enough to download another browser. I could just grab one out of the repo but I really prefer my Opera and I have yet to find one with the current Opera builds in them.

    --
    "So long and thanks for all the fish."