File-stealing Firefox bug exploited in the wild, patch immediately!

A critical Firefox vulnerability has been spotted being exploited in the wild.

The bug, reported by security researcher Cody Crews, allows attackers to violate Firefox’ same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. The flaw can be exploited to steal local files from a victim’s computer.

And this is exactly what happened in the attack.

“A Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine,” shared Daniel Veditz, Security Lead at Mozilla.

“The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed.”

“The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs,” he advised, and added that people who use ad-blocking software might not have been affected by the attack (depending on the software).

The exploit can’t work on Mozilla products that don’t contain the PDF Viewer, e.g. Firefox for Android. This particular exploit also doesn’t target Firefox for Mac.

Nevertheless, users would do well to upgrade their browser to the latest version (Firefox 39.0.3 and Firefox ESR 38.1.1), which plugs the hole.