A recent blog post by Mozilla security head Daniel Veditz outlined a particularly malicious exploit that was found embedded in an advertisement on a Russian news site. The exploit, first discovered by a Firefox user, could sift through your local files and upload them to a Ukranian server, all without you knowing.
The vulnerability relied on exploiting Firefox’s integrated PDF reader and, therefore, those versions which do not include the feature – the mobile version of the browser – were not affected. While the exploit did not include the execution of external code, it did allow for potentially violating users’ privacy by searching through their personal files and uploading them to an external server. Additionally, once the payload was executed, all traces of the exploit were removed.
For a more technical account of what the exploit did, Veditz explains the following:
On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for.bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.
The company is encouraging users to update to Firefox version 39.0.3 – which has fixed the issue – and also exhorts users to change any password or login information stored in the above files.
While Internet malfeasance has always been a threat, the last few weeks seem to have been particularly troubled, with Yahoo suffering from a Flash attack that could have affected millions and the Stagefright vulnerability leaving almost a billion Android smartphones vulnerable to an attack.