Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Issues Fix For Firefox Zero-Day Bug

Posted by samzenpus on from the the-fix-is-in dept.

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

18 of 115 comments (clear)

  1. External PDF viewer? by maugle · · Score: 3, Interesting

    Since this exploit uses an interaction between javascript and Firefox's built-in PDF viewer, it sounds like this doesn't affect people running NoScript. But what about people who don't use the built-in PDF viewer? e.g., if clicking on a PDF file opens the usual "download/open file" dialog, will the exploit still work?

    1. Re:External PDF viewer? by U2xhc2hkb3QgU3Vja3M · · Score: 5, Insightful

      Why does a Web browser have a built-in PDF viewer in the first place?

      A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

    2. Re:External PDF viewer? by 0123456 · · Score: 4, Funny

      Why does Chrome have one? It's a web browser. The same questions apply.

      Hipsters.

    3. Re:External PDF viewer? by phantomfive · · Score: 3, Interesting
      Because it's convenient. Because users like that feature. Those are the reasons.

      is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

      If enough web links go directly to that type of file, then they might. For the same reasons.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:External PDF viewer? by Lennie · · Score: 3, Interesting

      Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.

      If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.

      --
      New things are always on the horizon
    5. Re:External PDF viewer? by simplypeachy · · Score: 2

      Or set your browser to download (or at least prompt) the PDF instead of automatically executing the PDF with any software. That way, a PDF you choose to look at can still work fine, but a drive-by exploit attempt will have another speedbump to get past.

    6. Re:External PDF viewer? by freeze128 · · Score: 4, Interesting

      Firefox, Chrome, and even the new Microsoft Edge have built-in PDF viewers. Perhaps it's because EVERYONE thinks that they can build a better PDF reader than Adobe.

    7. Re:External PDF viewer? by Spamalope · · Score: 4, Funny

      You'd have to work very hard to build one with a greater variety and number of security problems.

    8. Re:External PDF viewer? by tepples · · Score: 3, Informative

      Why does a Web browser have a built-in PDF viewer in the first place?

      Because just as text/html is a commonly used media type on the web, so is application/pdf. Having a PDF viewer written in JavaScript contributes to the Downloads folder not being quite as littered. And because not only is JavaScript inherently less subject to accidental "undefined behavior" than the C++ in which I assume Adobe implemented its Reader, but also has Mozilla shown itself to be more responsive than Adobe to security issues. That's also why Mozilla has been working on Shumway, its SWF player.

      Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

      Anyone who wants to write a JavaScript viewer for those formats is free to do so.

    9. Re:External PDF viewer? by ShaunC · · Score: 5, Informative

      You can go to about:config and set the value for pdfjs.disabled to true, or create that setting (boolean type) if it doesn't exist. That'll cause Firefox to pop up a download dialog when you click a PDF link, and you can use something like Sumatra to open the file.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    10. Re:External PDF viewer? by Darinbob · · Score: 2

      Why can't Adobe write a PDF view that just does the job simply and without the feature overload that leads to the most bug ridden software since the Microsoft Butterfly 98 Home Edition?

  2. Re:People still use Firefox? by U2xhc2hkb3QgU3Vja3M · · Score: 4, Informative

    On Windows, your choices are:

    • Firefox, the bloated browser with memory leaks who forgot the whole point of its creation
    • Chrome, the fast browser with built-in spyware from the Do-no-evil-but-let's-datamine-the-shit-out-of-our-users-anyway company
    • Edge, the browser made by the company with possibly the worst security history on the planet
    • Opera, the company that dropped its own engine and is now just basically a Chrome clone

    edit: Slashdot lets us use HTML in our posts but makes bullets invisible... way to go, guys.

  3. Re:People still use Firefox? by Lunix+Nutcase · · Score: 3, Insightful

    It's disabled by default.

    Integrated PDF reader. The code for this is still included for emergencies (i.e. when you need to read a PDF but don't have access to a reader) but disabled by default - you are always recommended to use a separate, up-to-date document reader for PDF files (as an external program, not as a browser plugin) for your own security, and to have documents displayed in their fully intended format instead of a stripped-down display in an in-browser reader.

    https://www.palemoon.org/techn...

  4. Re:People still use Firefox? by Luthair · · Score: 3, Informative

    Firefox actually uses less memory than the others

  5. Re:Open source? by tnk1 · · Score: 2, Insightful

    Well, open source code is no more secure than closed source. That isn't a function of the source being open or closed. You can have poorly written open source software and excellent closed source stuff.

    The value of open source is the assumption that more eyes on an issue allows inevitable bugs to be found, and for potential users to inspect what they are running. Closed source would have to rely on the number of people authorized to view the code, and the customer will not be able to view the code, just the resulting functionality to evaluate its security.

    In reality, however, there is no guarantee that just because there is open source, that anyone will actually *look* at that code and even less assurance that someone who is qualified to read the code will have done so. So, a distinction needs to be made between open source software with a large and active community, and open sourced software that does not have an active community. You still get a *potential* advantage from having the source to look at, but it is only a potential advantage without the community. A closed source application could overcome those potential advantages by ensuring that they have excellent customer support, and are able to insure or indemnify customers against bad results.

    In any event, that is why you should never say open sourced software is simply "more secure". It isn't. And some of it is complete shit. What it does provide is the ability for a user/customer to be able to discover any issues for themselves, but *someone* has to go that extra step.

  6. Re:Open source? by rsmith-mac · · Score: 2, Interesting

    Nothing is perfect.

    Agreed. And this goes especially for browsers, since they're hitting a moving target.

    That said, this exploit highlights the fact that Mozilla still hasn't gotten their act together on layered security. Firefox remains the only browser not to run in low integrity mode (i.e. protected mode) on Windows, so while certain plugins like Flash are sandboxed, the greater browser is not. This goes hand in hand with the fact that Firefox currently does not have the ability to run each tab/window in its own process, making it harder to sandbox malicious content, and is why a bad tab can still take down the whole browser. Heck, the UI and the content still run in the same process, making it all the easier for bad content to reach out and touch the rest of the browser and the system.

    This vulnerability is an unfortunate reminder that Firefox is badly behind the curve on browser security. For the most part Mozilla is putting out fires by patching exploits, but the work on fixing the underlying issues has been much slower. The fact that in 2015 they still can't match the process isolation abilities of 2009's IE8 is a little embarrassing, and very frustrating.

    Mozilla means well, and while no one is perfect they are sadly about the farthest browser vendor from it at the moment.

  7. Patch and don't forget this... by chasm22 · · Score: 3, Interesting

    "The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "

    It's taken from the blog about the exploit and doesn't seem to be drawing much attention.

  8. Re:People still use Firefox? by rev0lt · · Score: 2

    Unless you're one of the users running into those mysterious "memory leaks" that nobody can replicate once they file an actual bug

    I stopped using Firefox a couple of years ago because of this. They're not mysterious, they were real. Try opening a reasonable amount of tabs (50-100), and leave the browser open for a day or two, and you'll probably be able to reproduce it.