Article Lead Image

Mozilla patches Firefox exploit that let hackers remotely grab users’ files

Update your browser immediately.

 

AJ Dellinger

Tech

Posted on Aug 7, 2015   Updated on May 28, 2021, 5:08 am CDT

If you use Firefox, it’s time to update your browser.

Mozilla recently discovered an exploit in the wild that allows a malicious actor to remotely direct your computer to upload files to a server without permission.

The exploit, which a user discovered on Aug. 5 and brought to Mozilla’s attention, takes advantage of a vulnerability in Firefox’s PDF viewer.

The issue “comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer,” Mozilla security lead Daniel Veditz explained in a blog post.

The exploit injects JavaScript and searches the victim’s computer for sensitive files. It then uploads those files to a server that appeared to be located in Ukraine.

The exploit was found in an advertisement on a Russian news outlet’s website, but it could be running elsewhere across the Web as well. Veditz said the code search for files that were “surprisingly developer focused.”

Windows and Linux users were the primary victims of the attack. It did not appear to target Mac OS X, though Veditz noted that Apple computers would not be immune to an exploit based on a modified version of the JavaScript code.

The Firefox mobile browser for Android was also unaffected because it does not use the Firefox PDF viewer. 

Firefox has already issued an update to address the exploit. Users are urged to update to Firefox 39.0.3 to plug the potential security gap.

H/T Gizmodo | Photo via Raphaël Quinet/Flickr (CC BY SA 2.0)

Share this article
*First Published: Aug 7, 2015, 4:38 pm CDT