Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Firefox's PDF Reader Exploit Can Steal Files

posted by martyb on Saturday August 08 2015, @02:44AM   Printer-friendly
from the no-bloatware-goes-unpunished dept.

GungnirSniper writes:

Mozilla Firefox's PDF Reader has a vulnerability that can "violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer."

Mozilla Security Blog has further details:

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the "same origin policy") and Firefox's PDF Viewer. Mozilla products that don't contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don't know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with "pass" and "access" in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.

The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mozilla Firefox's PDF Reader Exploit Can Steal Files | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by maxwell demon on Saturday August 08 2015, @06:52AM

    by maxwell demon (1608) on Saturday August 08 2015, @06:52AM (#219812) Journal

    Well, actually I used it once, when to my surprise no external PDF reader was opened, but that internal reader. Back then it didn't render that particular PDF file in an even remotely usable form, so I immediately disabled that functionality; I never felt the urge to re-enable it (probably it now renders all the PDF files correctly, but I don't care).

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Saturday August 08 2015, @07:12AM

    by Anonymous Coward on Saturday August 08 2015, @07:12AM (#219817)

    Me neither. I wonder whether that would protect against this thing. I like Okular.