Mintcast PUPs Disable Safe Browsing Settings in Firefox
Exploits and vulnerabilities | News | Threats

New Firefox Zero-Day: Patch Now! (UPDATED)

Posted: August 9, 2015 by Jérôme Segura

Update (08/11): Mac users are now being targeted by a newer version of this exploit.

mac

Original Post:

Mozilla released a critical security advisory late last week which may have gone unnoticed during all the action at the BlackHat and Defcon conferences.

The bug in its flagship browser Firefox is severe because it can allow an attacker to steal files from Windows and Linux users who just happen to visit a website contaminated by a malicious advert.

FF

More importantly, the flaw has already been exploited in the wild (via a malvertising attack on a Russian website) and the source code for it has also been leaked. It’s only a matter of time before the exploit is deployed on a much larger scale.

We got our hands on the zero-day source code and can immediately see that this attack’s main purpose is to steal passwords and other highly sensitive data:

linux

The stolen data is then sent to a remote server via a POST request:

This attack is particularly dangerous and very stealthy as well because it will leave no artifacts on the victims’ computers and they will have absolutely no idea of what just took place.

This is because the exploit abuses the Same-Origin Policy by injecting JavaScript into Firefox’s built-in PDF Viewer. The Same-Origin Policy only allows a web page to access data in a second web page if both have the same origin. In this case, the first web page can access data on the user’s local hard drive!

This zero-day is unique in that it does not download any malware on the system it wishes to steal from, contrary to typical attacks that download and execute Trojans or backdoors first. One big advantage of using such a technique is to minimize the footprint and therefore detection on a system.

The threat also affects Linux (Firefox comes pre-installed on Ubuntu), and not just Windows, which is something we don’t normally see as often when it comes to web based attacks.

The flaw is fixed in Firefox 39.0.3 and Firefox ESR 38.1.1 (long term support), so please make sure you are using the very latest version by selecting “About Firefox” from the menu or going to firefox.com to download it.

While this specific attack was not intended for Mac users, it could very well have been, so they ought to patch as well.

RELATED ARTICLES

TikTok logo
News | Personal

TikTok comes one step closer to a US ban

April 24, 2024 - The US Senate has approved a bill that will ban TikTok, unless it finds a new owner, bringing it one step closer to being signed into law.

CONTINUE READING 0 Comments
UnitedHealth Group logo
News | Personal

“Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach

April 23, 2024 - UnitedHealth has made an announcement about the stolen data in the ransomware attack on subsidiary Change Healthcare.

CONTINUE READING 0 Comments
The Lock and Code logo, which includes the Malwarebytes Labs insignia ensconced in a pair of headphones
Podcast

Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09

April 22, 2024 - This week on the Lock and Code podcast, we speak with Justin Brookman about past consumer wins in the tech world, and how to avoid despair.

CONTINUE READING 0 Comments
Discord logo
News | Privacy

Billions of scraped Discord messages up for sale

April 22, 2024 - An internet scraping platform is offering access to a database filled with over four billion Discord messages and combined user profiles.

CONTINUE READING 0 Comments
week in security
News

A week in security (April 15 – April 21)

April 22, 2024 - A list of topics we covered in the week of April 15 to April 21 of 2024

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Jérôme Segura

Jérôme Segura

Principal Threat Researcher

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams