Firefox exploit found in the wild

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload. [Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux.]

The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

224 responses

  1. Yellowberry wrote on :

    Here is my take on this. Mozilla will do what they want. If you are not satisfied with this, then just fork Firefox and add and remove the features that you want. I know you might be saying “That’s too difficult and that takes work.” Well, I’m here to tell you that that is what it will take. I am disappointed that this is how it has to be. It seems a lot of software companies these days are steering away from the community…

  2. David wrote on :

    Wow, I’m amazed that not one of the 90 previous comments mentions NoScript. Hello!!! If you want reasonably safe browsing you _must_ disable JavaScript for all untrusted sites (i.e. any site where you don’t recognized the URL, and probably many where you do).

    This issue is a yawn for anyone running NoScript. The mal-advertisement site JS would not have run at any time, past present or future. All such malware loads from garbage throw-away domains which could not possibly have appeared in the NoScript white-list.

  3. sametbh wrote on :

    What if i rarely use PDF viewer and ghostery?

  4. Chris wrote on :

    Does anyone know the IP/hostname of the server the data was sent to?

    1. Travis wrote on :

      +1

      1. Gav wrote on :

        I’ve found one copy of the the exploit code that targets Windows, Linux and Mac (based on navigator.platform so other OSs should be fine). This version at least submits to http://acintcdn.net/delivery.php which currently resolves to 185.86.77.48 (it can use either both POST and GET, so check for both)

  5. David Coston wrote on :

    Thanks for the quick fix guys.

  6. Mark wrote on :

    Mozilla is still one hundred and fifty thousand times better and safer then Internet Explorer.

  7. John Smith wrote on :

    Is ESR 31.8 vulnerable to this? If so, will there be a bugfix release? The ESR roadmap still shows it as being supported.

    1. Neal wrote on :

      I think next week it is discontinued. You will have to update to ESR 38.

      Maybe the Mozilla people don’t want to do a last update for a version that only has less than a couple of days of official support.

  8. Livid wrote on :

    PDF.js is introduced in Firefox 19

    Firefox 19 is released in early 2013

    Does that mean the exploit has been around for over two years?

    1. Blath wrote on :

      Since Fx 31.x seems not to be vulnerable, no.

  9. AS wrote on :

    The Firefox update has stopped my laptop connecting to the internet! Now even interest explore no longer works! What can I do?

  10. tasty wrote on :

    who’s wanna analyze a lil’ some? rghost.net/6HTzsrdLR

    I guess we need to block requests to ‘acintcdn.net’ further.

    1. j wrote on :

      File is deleted

      1. libpython3-dbg wrote on :

        Here it is, I guess.

        http://paste.ubuntu.com/12030863/

        I’m actually quite disappointed by Mozilla’s attitude. It is in ‘best’ traditions of non-free software developers. What is that conspiracy for — I’ve found the exploit in a minute, but cannot find out which versions of Firefox are affected (since 19? since 31? since 38?) — the corespondent bug report [1] is classified (sic!). Are they suggesting me to try out by myself?

        [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1178058

    2. O wrote on :

      Was this host already on Opendns’ Family Shield blacklist maybe?

    3. O wrote on :

      Was this host already on OpenDNS’s Family Shield blacklist maybe?

  11. bob wrote on :

    using different layer for different task = being secure
    like a VM, docker, sandbox for your daily navigation
    another VM, docker, sandbox for your daily work

    1. eliasp wrote on :

      If you’re considering Docker to be a security feature, your security concept is broken.
      Docker is a lot, but _not_ a security layer/feature.

      1. Alex wrote on :

        I don’t think he is implying the Docker is inherently the solution to security, in fact, he includes Docker with a list of other possible solutions. Layering up with a VM purely for browsing will protect you from this particular browser exploit, given that you use another VM for your development work.

        1. Joe wrote on :

          Wasn’t there just a VMware escape published?

          1. Josh wrote on :

            XEN escape*

            Yes

            1. Ben wrote on :

              XEN and KVM escape caused by QEMU bug.

              And feel free to try which category of bug is easier to exploit, this one or so-called VM escape.

      2. Gerard Braad wrote on :

        He means to uses Docker as a separation between two environments/contexts. Docker uses namespaces to create an isolation between these two contexts.

  12. Uil wrote on :

    I wonder why they forbid reading this in lynx – do they fear people keeping their systems scure?
    BVut of course you can read it in lynx if you change the user agent string, which goes to show they are really fearing us.

    1. Daniel Veditz wrote on :

      This is just a hosted instance of Word Press. If it’s blocking lynx you’d have to ask them — we have absolutely no interest in preventing people from accessing our blogs.

  13. Michal wrote on :

    Hi,

    Could you provide shell script that would list files accessed by this exploit ? When you say for example “text files” do you mean “*.txt” or mimetype text ? If keepass file has “pass” in name would it be stolen ?

    Thanks,
    Michal

    1. Daniel Veditz wrote on :

      We’ve now seen variants looking for different files, though so far similar lists focused on developers / command-line users. In the article text files meant .txt. In the variant I saw if the keepass file name has a .txt extension it would be stolen.

  14. Jk wrote on :

    Can you provide hashes of the samples?

  15. G. R wrote on :

    Has Nightly also received this patch?

    1. Daniel Veditz wrote on :

      Yes, all the branches have the patch.

      1. paul wrote on :

        What about beta x64?

  16. Eugene wrote on :

    Oh my, really? How it could be happen? Probably coz Firefox let third-party software to install their plugins without user permisson (Adobe Reader/Acrobat, NFW, etc.)? Or due to the absent option ‘ask user’ for some filetypes open dialog (RSS, podcats, etc)? Really, wery strange /irony off/

    1. James Edward Lewis II wrote on :

      The problem was actually in Firefox’s built-in PDF reader, based on the old PDF.js project, so it has nothing to do with third-party plugins (even though they *do* pose a security risk generally).

      1. Eugene wrote on :

        I’ve got it. My idea was: let the users decide what to open in browser themselves.

  17. mseri wrote on :

    if you look for a desktop sandbox, you could consider qubes-os. It’s getting better and better

  18. tan wrote on :

    Looks firefox is doing a job to keep up with the safety and security. Well done.

  19. shadowspear wrote on :

    It looks like we have to get the people like firefox, opera, google chrome, and any other software used for surfing the inter net to stop all this bs with people being allowed to use java and or any other kind of program. having access to and or changing browser on peoples computers. and also stop them from taking data just to use for their sales, and or selling to third parties.

    It really is getting bad when any and or all the browser are now able to hijack your computer, and or let third parties have the abilities to do so when they should have always an option to lock them out and not take part and know exactly what is being installed on anyones computer.

    1. James Edward Lewis II wrote on :

      This particular bug was in a component of Firefox itself, not in any third-party plugin.

    2. urmom wrote on :

      Yeah I’ve said for a long time now that this whole infatuation with javascript and overcomplicated/bloated browsers is only going to cause more problems. It should be possible to use something simple like Dillo to browse the web. You want security and stability? Ditch the Web 2.0 crap. It’s not worth the security and privacy problems. Building stupid “countermeasures” on top of this shaky foundation is only going to lead to an arms race. Fix the fundamental problem, not the symptoms. KISS principle applies, as always…

      1. gary wrote on :

        Yeah, let’s stop with this internet of things crap. All we need is a handful of nice single-player games and stop this insanity.

  20. William wrote on :

    Thanks for patching the bug, but I’m starting to lean towards sandboxed web browsing as employed by Chrome.

    1. George8211 wrote on :

      Perhaps you want to take a look at the e10s project? http://wiki.mozilla.org/Electrolysis

More comments: 1 2 3 4 5