Firefox exploit found in the wild

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload. [Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux.]

The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

224 responses

  1. Bill wrote on :

    Is it possible to get security updates WITHOUT the “user interface and feature enhancements”? I hate the way Mozilla shoves new looks and “we think you’ll love it” UI changes down our throats. Burnt in the past by that, I now don’t allow auto-updating. I’ve been on Firefox 33 for awhile now.

    Why can’t there be a separate security update, like Windows does? I don’t want whatever latest thing the Mozilla designer dreams up. But I want the security updates obviously.

    1. Robert O’Callahan wrote on :

      Because after N regular updates and M security updates we’d be supporting O(N x M) different Firefox versions, which couldn’t possibly scale.

    2. Eamon Nerbonne wrote on :

      You do realize, that (A) microsoft has far fewer updates to support, and (B) that even microsoft is turning away from that approach with windows 10. Alternatively, you could pick the android approach: lalalala what-do-you-mean, security updates? There’s no third option.

      At the end of the day, while I think it’s terribly annoying: users need to quit whining. Yes, it’s a pain in the ass – but the real issue is that people hate *any* change because we would all rather just stick to what works now. But that’s just not an option – the world’s changing all the time, and large (software) projects either need to adapt, or die. Without any exception all major software projects have this kind of functionality regressions in the name of being able to due new and different things.

      So the reality is that even if you’ve figured out *just* the right way for your computing environment to work, little will be left in 10-15 years because although change is painful, inflexibility is a lot more painful.

      If I were a betting man, I’d bet that Firefox is erring rather too much on the side of keeping growling (legacy) users at bay by avoiding changing, which will inevitably lead to obsolescence. All other browsers seem to have changed a rather lot more in the past decade.

    3. Eamon Nerbonne wrote on :

      You do realize, that (A) microsoft has far fewer updates to support, and (B) that even microsoft is turning away from that approach with windows 10. Alternatively, you could pick the android approach: lalalala what-do-you-mean, security updates? There’s no third option.

      At the end of the day, while I think it’s terribly annoying: users need to quit whining. Yes, it’s a pain in the rear end – but the real issue is that people hate *any* change because we would all rather just stick to what works now. But that’s just not an option – the world’s changing all the time, and large (software) projects either need to adapt, or die. Without any exception all major software projects have this kind of functionality regressions in the name of being able to due new and different things.

      So the reality is that even if you’ve figured out *just* the right way for your computing environment to work, little will be left in 10-15 years because although change is painful, inflexibility is a lot more painful.

      If I were a betting man, I’d bet that Firefox is erring rather too much on the side of keeping growling (legacy) users at bay by avoiding changing, which will inevitably lead to obsolescence. All other browsers seem to have changed a rather lot more in the past decade.

  2. nope wrote on :

    fucking clowns.

  3. Sloan wrote on :

    Hmm. But how pdf.js even can (?) access local files?
    As I know local access from JavaScript browser API is restricted, no matter is AJAX or not. The only way – is using fileReader, but in this case you need manually load file from tag.
    So, how this possible?

    1. JJ wrote on :

      Hackers gonna hack… Do you understand what “browser vulnerabilities” are, i.e., how they are discovered and, most importantly, for WHAT?

    2. Awal wrote on :

      Very interested in knowing the same. I guess PDF.js is part of chrome code which has elevated privileges.

    3. Sloan wrote on :

      Sure. But this is NOT a part of brower, this is an addon (I’m about pdf.js). So, every addon can access every (!) data that user can. That is madness!

  4. Marko wrote on :

    Hello.I have beta 40 0 9 do i need to go to 39.0.3?Thanks

  5. Bottom jej wrote on :

    Good job, Mozilla! Congratulations on hitting all time low market share of 9%
    I wonder why people are jumping this sinking ship…

    1. Joe wrote on :

      You think Apple cares about market share? If you build a good quality product for a certain demographic, people will use it. Firefox serves the demographic that cares about quality open source projects that respect people’s rights.

    2. JJ wrote on :

      4chan users are retarded. ALL software has vulnerabilities… You should be grateful this one is being reported AND mozilla is doing something as fast as possible. Other companies simply don’t care about the users. Mozilla is right here, and the best software organization from the users point of view.

  6. Ronan Jouchet wrote on :

    Were Firefox users on non-release channels (beta, aurora / Developer Edition, nightly) vulnerable?

    1. Lagfox wrote on :

      Yes. It’s fixed only in Firefox 38.1.1esr, Firefox 39.0.3 and Nightly 42.0a1

      1. Ronan Jouchet wrote on :

        You mention esr, release, nightly. So currently, aurora (41.0a2 (2015-08-07)) and beta were and are still vulnerable?

        1. Stephane wrote on :

          I feel it’s somewhat sub-optimal that the Firefox Dev Edition did not get a patch right away. What is the rational behind this? Are there not enough people using it? Thank you for the great browser 🙂

      2. Alica wrote on :

        And what about the previous ESR 31.x? Will there be a ESR 31.8.1, like the ESR 24.8.1?

  7. paul wrote on :

    Any idea how long this vulnerability has been in the pdf viewer? Are there known addresses that have been receiving the exploit uploads? That would allow inspecting firewall logs to see if any data has been exfiltrated.

    I’d be happier if Firefox did not have any access to the local file store other than a limited area for its own stuff, i.e. it ran in something like a chroot jail or under a separate user account. Not sure what it would have to do about FF’s own password store and the bookmarks db. Should everyone consider their password store to be compromised and change all the web passwords they have stored in it?

    I also see the root problem here as too much trust in JS sandboxing. An endless parade of exploits and privacy leaks have resulted from this. The decision a couple years ago to remove “turn off JS” from the UI has worsened this immeasurably, as well as cementing the bloaty, script-heavy, dysfunctional style of web design that everything is afflicted with now, that almost always has no user benefits over Web 1.0 style pages. The change should have gone the other way: JS should have been turned off by default, with whitelisting for specific pages. In any case the same-origin policy should be strengthened so that it is impossible for sites other than the one in the nav bar to run any scripts at all (that means no ads with scripts, no google analytics script, etc). That would stop a lot of user tracking among other things.

    1. Olegario Craig wrote on :

      Yes, please; what were the IPs and/or domainnames used for the upload targets? I have flow logs going back a while…

  8. Thomas Quinot wrote on :

    What’s the earliest vulnerable version? How to tell if the builtin PDF viewer is enabled?

  9. Vasim wrote on :

    They are not only implementing a lot of potentially dangerous things into browser (pocket, pdf.js and other unneeded crap), reducing user’s ability to keep him/her safe (removed “turn off JS” from gui) but also trying to hide information about who could be affected from users! Why they’re hiding the “news site” and malicous ad reference? A lot of users can be affected, they should know about this.

  10. The Old Coot wrote on :

    Shouldn’t be happening if you guys did better tasting on your code before releasing updates.

    1. James Edward Lewis II wrote on :

      Read up on the halting problem: It implies that for sufficiently complex programs, testing will never be perfect.

      Mozilla actually does extensively test before pushing code out the door.

  11. Eye wrote on :

    Why pdfjs is in there at all? Why pdf (actually paper printing format) is such popular over the internet?

  12. KX wrote on :

    This exploit is more of a symptom than anything. It’s a symptom of how poor Javascript security really is.

    Javascript engines were originally implemented in a day and age where security wasn’t needed, JS was just used for moving stuff around the screeen, fluid motion of sites’ DOM elements, being able to drag stuff around, having client-side input validation and such. Thing is, over time, JS has gained a lot of responsibility as a language but security hasn’t been there to keep up with it. It’s still very permissive as it originally was, allowing third parties to run unprecidented amounts of intrusive code on user machines.

    We’re in a world where we have things like WebRTC exploits via JS being used by malicious marketing companies to bypass privacy tools as to probe internal network environments, advertisement networks being used to push malware using javascript, publishers who feel it is their right to enumerate every bit of information about a user’s computer just by connecting to their site. Now we have “local” javascript being leveraged to compromise local files.

    It’s become ActiveX all over again. This time, every browser has it and it’s obligatory to participate on the Web.

    Gone are the days where a computer firewall is adequate. In most cases, a browser punches a hole clean through conventional firewalls. Thus it is my contention that Mozilla and other browser vendors need to ramp up the security controls on Javascript bigtime. This includes controlling the entry and exit points into the engine and allowing users to control those points through non-hidden means (That means, not tucked away in about:config). The publishing industry may hate it but users at the end of the day need to protect themselves from malicious activity and the defaults on browsers simply doesn’t do it.

    We need to address this at the base of the situation and stop being so permissive with JS.

  13. Scott Walters wrote on :

    Accessing an arbitrary file outside of $HOME/.mozilla/firefox seems like it should reasonably require approval via a confirmation dialog box each and every time.

    Similarly, right now, pop-ups are either on or off for a site, but the file upload dialog is considered a pop-up. This means that for sites like imgur.com, I have to turn it off to not be abused by ads pop-ing up windows to other sites, but have to turn it back on to be able to upload files. This is unworkable and far more work than simply approving each and every pop-up. Since I almost never want a pop-up and it’s easy to ignore the requests, this should be the default.

    I know software written in C is always going to have exploits, but it seems like Firefox has systematically struggled with a gap in understanding what’s permissible to do without approval.

    Considering that almost no one ever wants any site to ever be able to open a pop-up, and that Firefox continues to struggle with forbidding this after a decade, Firefox fails to inspire confidence. If Firefox is similarly reckless about accessing files outside of $HOME/~.mozilla/firefox without permission, then the only reasonable thing for people (and Linux distros, and ad-on security products) to do is to jail Firefox so that it can’t hurt itself.

    I already run Firefox as a non-privileged user with the install itself owned by root (and until settings were changed, Firefox was freaking out that it couldn’t write its own files to upgrade itself — damn right you can’t write to your own install!) but I doubt I’m careful enough with file permissions for even this to be adequate, and most users aren’t nearly this careful.

    Please keep in mind that it’s not just developers who need some level of security, for the sake of their projects, as this exploit shows. As Mitnick’s social engineering attacks show, even low level office workers need a reasonable expectation of security.

    tl;dr: You can try to write this off as a predictable, excusable security failure, but I see it as a long pattern of recklessness and disconnect from what’s reasonable that is inexcusable and puts Firefox in a bad light. Just as people shouldn’t need 3rd party pop-up blockers, dishing out files without explicit permission simply makes no sense. People almost never want that and if they do, they’ll approve the actual read or the actual pop-up.

    1. Anonymous wrote on :

      That is actually a solution, force everything in mozilla firefox to be done in specified working directories including a specified temp & cache directory, unless permission is granted to do otherwise. A permission based system can be overlayed on that, saying that only a particular thread/process is allowed to access each folder.

      Move everything firefox needs to one place and lock it down.

  14. jmp wrote on :

    I will end up running browsers from docker or some other container.

  15. Sayonji Nakayama wrote on :

    Hi.

    Am I safe if my firefox doesn’t save passwords?

  16. Program indir wrote on :

    Thank you…

  17. Chris Hills wrote on :

    Can these types of vulnerabilities be mitigated with selinux or AppArmor?

    1. Roman Gorshunov wrote on :

      Yes, with SELinux sandbox for example: http://danwalsh.livejournal.com/31146.html

    2. Erik wrote on :

      A custom AppArmor profile could block Firefox from accessing .ssh, .purple, etc. I’m going to write one this weekend. It’s a blunt tool but better than nothing.

      1. Rick wrote on :

        Ubuntu already has an apparmor profile that’s not on by default (/etc/apparmor.d/disable/usr.bin.firefox).

  18. someone wrote on :

    a chilling reminder that the more “features” you keep incorporating to a browser, the more attack surface you will create… Mozilla, please come to your senses and stop the Firefox bloatware.

  19. Martin wrote on :

    Thanks Mozilla, for adding a useless feature to your browser, making your bloaty code even more insecure. 🙁

  20. Neal wrote on :

    Firefox really needs some hardening. I remember when the Firefox PDF viewer was introduced one of the benefits was supposed to be security. I am disappointed that all that seems have done is add a new exploit vector.

    I hope e10 brings some tangible security benefits. Unfortunately the sandbox doesn’t even have a estimated ETA, so we Firefox users we have to grow increasingly paranoid about our security or switch to another browser that doesn’t get publicly hacked so easily.

More comments: 1 2 3 4 5