Pesky Firefox bug
Mozilla on Thursday announced that it rolled out security fixes for a bug in Firefox that was discovered by a user. What the user found was that an advertisement on a news site in Russia was able to take advantage of a vulnerability in Firefox to search for sensitive files on a user's PC and upload them to a server in Ukraine.
The exploit involves Firefox's built-in PDF Viewer and "the interaction of the mechanism that enforces JavaScript context separation." Versions of Firefox that don't use the PDF Viewer, such as FireFox for Android, aren't affected, though it does affect the browser in Windows.
Mozilla added that the vulnerability doesn't enable the execution of arbitrary code, however it's able to inject a JavaScript payload into the local file context, which then allows it to search for and upload local files, including sensitive ones.
Interestingly enough, the malware looks for files that are typically associated with developers as opposed to bank statements or things of that nature. Mozilla also points out that Mac users are unaffected by this particular exploit, but would not be immune if a new payload was created. Furthermore, the exploit is stealthy, leaving no trace that anything foul took place.
The latest version of Firefox (39.0.3) includes security updates that fix the vulnerability. You can force an update by clicking on Settings (those three horizontal lines in the upper-right corner of Firefox), Help Menu icon (question mark at the bottom), and About Firefox.
Follow Paul on Google+, Twitter, and Facebook
From maximumpc
from http://bit.ly/1KVOgrV
