Firefox exploit found in the wild | Mozilla Security Blog
►https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild
Firefox exploit found in the wild
Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.
Update Firefox to the latest version | Firefox Help
▻https://support.mozilla.org/en-US/kb/update-firefox-latest-version
If you use your Linux distribution’s packaged version of Firefox, you will need to wait for an updated package to be released to its package repository. This article only applies if you installed Firefox manually (without using your distribution’s package manager).
Ne pas utiliser #firefox avant d’avoir la 39.0.3 . Je suis sous ubuntu et on est à la 39.0.0 ce matin .
Faille concernant windows et linux (pas mac visiblement)
