Mozilla issues quick fix for Firefox zero-day bug

Password harvesting attack found on Russian website; attackers sniffing developer tools on Windows and Linux

Mozilla Firefox browser
Mozilla Firefox browser logo Credit: Gerd Altmann / Pixabay

Mozilla yesterday updated its Firefox browser to patch a zero-day vulnerability being used to harvest passwords on Windows and Linux machines.

The update, Firefox 39.0.3, was released about 24 hours after Mozilla engineers heard of the flaw.

"A Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine," Daniel Veditz, a security lead at Mozilla, wrote on a company blog.

The flaw resided in code that "enforces JavaScript context separation (the 'same origin policy') and Firefox's PDF Viewer," added Veditz, referring to the baked-in PDF (portable document format) viewer. Like other browsers, Firefox displays PDF documents without relying on Adobe's own plug-in.

Although Veditz did not name the Russian news site -- something that users asked him to do in the comments appended to his post -- he detailed what the attackers had targeted. "The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site," Veditz said.

The exploit code searched for, among other things, configuration files for the FileZilla and S3 Browser file transfer tools -- the latter used to retrieve data from Amazon's cloud-based Simple Storage Service (S3) -- and eight FTP (file transfer protocol) clients, account information files associated with the Jabber and Pidgin instant messaging clients, and configuration files for the open-source Apache Subversion, software used by developers to track code changes.

Those running Firefox on a Mac were not targeted by the known exploit, but Veditz cautioned that they were not immune to the vulnerability: Other payloads could take aim at OS X.

Because of the information harvesting, Mozilla recommended that users reset the passwords used by the targeted applications.

While Veditz did not delve into the hackers' motivations, someone identified only as "Anonymous Coward" did that for him in the comments. "If you gather credentials for GitHub, cloud storage services and whatnot from many, many people, you're in a way better position to start harvesting confidential data from the Web than if you just crawl[ed] their local drives," wrote the commenter.

Firefox 39.0.3 can be downloaded from Mozilla's website; current users of the browser can trigger an update by selecting "About Firefox" from the "Firefox menu."

Firefox 39.0.3

Mozilla rushed an emergency patch for Firefox -- updating the browser to 39.0.3 -- to stymie a password harvesting attack that hit users who visited an unnamed Russian news website.

This story, "Mozilla issues quick fix for Firefox zero-day bug" was originally published by Computerworld.