Mozilla urges users to update Firefox with file stealing exploit in wild

A violation of the same origin policy within Firefox's built-in PDF Viewer is being exploited, which is fixed in newly released Firefox versions.

Earlier this week, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox's PDF Viewer to search for sensitive files on users' local file systems.

The exploit has been fixed in Firefox 39.0.3 and ported to its extended support release, Firefox ESR 38.1.1.

Versions of the browser that do not include the PDF Viewer, such as Firefox for Android, are not vulnerable.

"The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the 'same origin policy') and Firefox's PDF Viewer," wrote Mozilla security lead Daniel Veditz in a blog post.

"The vulnerability does not enable the execution of arbitrary code, but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files."

According to Veditz, the payload searches for subversion, s3browser, Filezilla, and libpurple configuration files on Windows systems; whereas on Linux, the payload looks through global configuration files in /etc/ as well as .bash_history, .mysql_history, .pgsql_history, .ssh files, any text files with "pass" and "access" in the names, and any shell scripts.

Any files encountered by the payload are uploaded to a server reportedly in Ukraine.

Mac users are not impacted by this exploit, but Veditz warned that another payload could potentially use the same vulnerability.

"The exploit leaves no trace it has been run on the local machine," said Veditz. "If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs."

Last month, a pair of use-after-free vulnerabilities and 11 other vulnerabilities of varying importance forced Mozilla to release an update to Firefox 39.

Although separately, Mozilla said these bugs could not be exploited easily, a user would be vulnerable if a mechanism was found to trigger them.