Firefox Exploit Discovered, But Update Is Already Available

If you're a Firefox user and reading this, stop and update to version 39.0.3 right now. Mozilla has revealed on their blog that a nasty exploit has been discovered that can give someone access to the files on your computer. The security hole allows JavaScript to be injected, letting an attacker search your computer and then upload files to a server in Ukraine. Even worse is that fact that no trace of the breach is left behind, so users will have no idea the breach has taken place.

The good news in all this is that Mozilla has already issued a patch, bringing Firefox up to version 39.0.3, while enterprise users need to have version 38.1.1. It's also very unlikely the attack has seen widespread use at this point, as it was only first discovered on an advertising network in Russia.

Mozilla explained that the exploit "comes from the interaction of the mechanism that enforces JavaScript context separation (the "same origin policy") and Firefox's PDF Viewer." Basically, that means the attack relies on Firefox's PDF Viewer, so versions of the browser that don't have it, like on Android, aren't susceptible. Surprisingly, the attack specifically looks for developer-related files.

It was added that PC and Linux users are targeted by the scripts, but not Macs, however they are not immune. Thus, all users should update Firefox as soon as possible. Mozilla also notes that the exploit was discovered by Cody Crews, a security researcher, who notified the organization right away.

SOURCE Mozilla