Mozilla moves to patch flaw in Firefox

News by Rene Millman

Mozilla has issued an update to its Firefox browser after it was discovered that a flaw in the code could allow an attacker to search out files on a victim's machine and upload them to a remote server.

Mozilla was notified of the problem by a user who noticed an advert displayed on a Russian news website had been serving an exploit that then looked for files before copying them to a remote location.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy') and Firefox's PDF Viewer,” Mozilla said in a blog post.

The flaw doesn't affect Mozilla products that don't feature the PDF Viewer or Firefox for Android.

The flaw was reported by security researchers Cody Crews. While the problem cannot be used to execute arbitrary code, it can enable a hacker to inject JavaScript into a local file. This allowed it to search for and upload potentially sensitive local files.

Daniel Veditz, security lead at Mozilla said the files it was looking for were “surprisingly developer focused for an exploit launched on a general audience news site, though of course we don't know where else the malicious ad might have been deployed”.

On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different FTP clients.

On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for.bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.

Verditz added that there are also variants that look for files on a Mac. Users have been advised to update to the latest version of Firefox.

“The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs,” he added. “People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.”

According to Jerome Segura, senior security researcher at Malwarebytes, this attack's main purpose is to steal passwords and other highly sensitive data. “This attack is particularly dangerous and very stealthy as well because it will leave no artefacts on the victims' computers and they will have absolutely no idea of what just took place,” he said. 

“This is because the exploit abuses the Same-Origin Policy by injecting JavaScript into Firefox's built-in PDF Viewer. The Same-Origin Policy only allows a web page to access data in a second web page if both have the same origin. In this case, the first web page can access data on the user's local hard drive!” he added.

Segura said the vulnerability is unique in that that it does not download any malware on the system it wishes to steal from, contrary to typical attacks that download and execute Trojans or backdoors first. “One big advantage of using such a technique is to minimise the footprint and therefore detection on a system,” he said.

Erik McClements, senior consultant at Context Information Security, told that the exploit is “pretty bad”.

“When a victim has an attacker's page loaded, or a page containing attacker content, they effectively offer up their local file-system. Any file that the victim can read, the attacker can steal. The exploit is therefore as bad as the data a user has available,” he said.

He said that this exploit specifically targets Linux users, perhaps indicative of the hackers' original targets. “A competent attacker will likely do the same when tailoring this exploit for their own goals– delivering an exploit preloaded with patterns to immediately steal matching files – as the window of opportunity may be small and manually browsing the file-system remotely may take too long,” said McClements.

McClements added that he would expect to see this added to all competent attackers' arsenals and tweaked to steal the specific data for their goals.

He added that the exploit was “very clean” with limited opportunities to detect – the most likely being the exfiltration of the data, where an attacker with weak tradecraft may not attempt to hide the data or its destination, particularly well. “Beyond that, an organisation or end user may wish to further limit the browser functionality that is available to websites,” he said.

Adam Winn, senior product manager at OPSWAT told that the most common malware exploits are often tied to vulnerabilities that were identified years ago.

“So once vulnerabilities are announced and patches are provided, the key is ensuring that they are applied across your entire organisation,” he said.

Catalin Cosoi, chief security strategist at Bitdefender told that while the exploit  can't execute code on the target machine, hackers could search for and upload local files, which may contain passwords or other sensitive data.

“Consequently, even if the vulnerability doesn't allow the attacker to download malicious payloads locally, they could still do a lot of damage by seizing FTP configuration files, SSH configuration files and keys, and so on,” he said.

“Knowing all this they could, theoretically, compromise FTP servers and use them to host malware,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews