Mozilla issues patches against Firefox file-stealing flaw

The Mozilla Foundation has released patches against a newly-found zero-day vulnerability in its Firefox web browser which allows attackers to steal files from victims' machines.

The flaw is currently being actively exploited.

Mozilla security officer Daniel Veditz said the exploit was discovered last week. An advertisement on a news site in Russia served up an exploit for Firefox that scanned for files and uploaded them to a server that appeared to be hosted in Ukraine.

Veditz said the vulnerability stems from the interaction between Javascript context separation, or same-origin policy, and the PDF viewer in Firefox.

While the vulnerability cannot be used to remotely execute arbitrary code on users' machines, it can inject Javascript into the local file context and upload files stored on disk, Veditz said.

Martijn Grooten, editor of security information portal and certification body Virus Bulletin, noted the exploit so far targeted only Windows as well as Linux systems. No attacks against Apple Macs have been recorded yet, but Grooten warned they were just as vulnerable to the exploit.

Mozilla found the exploit tried to snag developer-oriented files on both Windows and Linux machines. However, the exploit also copied the /etc/passwd file on Linux systems, which contains user log in secrets, and private Secure Shell digital keys for remote access.

"The exploit leaves no trace once it has been run on the local machine," Veditz said.

Firefox users are advised to update to version 39.0.3 and version Extended Support Release 38.1.1 immediately to fix the critical flaw.

Versions of Firefox that do not contain the PDF viewer  - such as Firefox for Android - are not vulnerable, Veditz said.

He said people using adblockers may have been protected against the exploit, depending on the type of filtering software they used.