Mozilla Users Urged to Update
Posted by: Timothy Weaver on 08/10/2015 09:53 AM
[
Comments
]
Security researcher Cody Crews notified Mozilla that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox's PDF Viewer.
The vulnerability could allow a persons sensitive files to be searched. The exploit has been fixed in Firefox 39.0.3 and ported to its extended support release, Firefox ESR 38.1.1.
All versions that do not have the PDF Viewer are not at risk. That includes Firefox for Android.
Mozilla security lead Daniel Veditz wrote: "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the 'same origin policy') and Firefox's PDF Viewer."
"The vulnerability does not enable the execution of arbitrary code, but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files."
Any files encountered by the payload are uploaded to a server reportedly in the Ukraine.
Source: ZDNet
The vulnerability could allow a persons sensitive files to be searched. The exploit has been fixed in Firefox 39.0.3 and ported to its extended support release, Firefox ESR 38.1.1.All versions that do not have the PDF Viewer are not at risk. That includes Firefox for Android.
Mozilla security lead Daniel Veditz wrote: "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the 'same origin policy') and Firefox's PDF Viewer."
"The vulnerability does not enable the execution of arbitrary code, but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files."
Any files encountered by the payload are uploaded to a server reportedly in the Ukraine.
Source: ZDNet
Comments
