Firefox zero-day hole used against Windows and Linux to steal passwords

These days, Firefox updates usually just happen and you don’t think too much about them.

You probably think about updates even less if they cover only the so-called “lesser vulnerabilities“, and not remote code execution (RCE) holes.

RCE is where a crook can implant malware on your computer without you noticing, and certainly without you getting any OK/Cancel popups where you might otherwise head off trouble.

But even “lesser” vulnerabilities can cause what are known as information disclosures – security holes that in their most serious form lead to data or even identity theft.


(Audio player above not working? Download MP3 or listen on Soundcloud.)

Critical update

Data theft is just what Mozilla warned about in a blog post published on 06 August 2015, when it announced a critical update for Firefox.

→ Make sure you have 39.0.3 if you use the regular version, or ESR 38.1.1 if you stick to the Extended Support Release. (Version numbers correct at 2015-08-07T21:00Z.)

The security hole is in Firefox’s very handy built-in PDF viewer, known colloquially as PDF.js because it is actually implemented inside the browser as a JavaScript program. (No plug-in is required.)

The bug doesn’t allow an attacker to run arbitrary executable code, so it can’t be used to implant malware.

But it does allow a crook to feed JavaScript into your browser from outside and run it as if you’d loaded it locally.

So, even though the attacker can’t sneakily download malicious files from his site onto your computer, he can upload files off your computer onto his server without asking.

In other words, the bug allows crooks to steal critical data from your computer without any obvious sign that it’s happening.

Bypassing the Same Origin Policy

As you probably know, a security feature called the Same-Origin Policy (SOP) in your browser is supposed to prevent JavaScript from site X from accessing private data belonging to site Y.

And if JavaScript from one web page shouldn’t be able to access data from other web pages, it certainly shouldn’t be able to access local files stored on your hard disk.

But in this exploit, local files can be sneakily retrieved and exfiltrated.

Worse still, according to Mozilla, the bug was noticed because crooks started exploiting it.

A poisoned ad that appeared on a Russian news site was apparently used to go after the sort of password and configuration files that you might expect developers to have.

Windows and Linux attacked

Mozilla claims that the booby-trapped ad network attempted to kick off a veritable data harvesting feast.

On Windows, the crooks went for:

  • Subversion, s3browser, and Filezilla configuration files. These are source code repositories, where developers keep their intellectual property.
  • Account information for Psi+ and Pidgin. Instant messaging clients that developers might use for chatting and transferring files.
  • Configuration data for eight different FTP clients. FTP, or its secure cousin SFTP, is often used for file uploads and downloads to and from file repositories and content management systems.

On Linux, the crooks went for:

  • Global configuration files such as /etc/passwd. The passwd file no longer stores actual passwords but it lists all user accounts on the computer.
  • Files in user’s home directories such as .bash_history, .mysql_history and .ssh files including private keys. Stealing your SSH keys could allow a crook to log directly into all the servers you use regularly.
  • Text files with names containing pass or access. These may contain plaintext secrets such as passwords.
  • All shell scripts. These may contain passwords or other confidential information that is needed to automate access to secure systems and services.

In short, the crooks were after data they could use in order to come back later at their leisure and suck up critical information from far and wide across your network.

(If they didn’t want to come back themselves, they probably hoped to make a tidy sum selling your secrets on to someone who did.)

What to do?

  • Update Firefox immediately.
  • Consider changing any passwords that may have been exposed in the files mentioned above. (See Mozilla’s blog for a more precise list.)
  • On Linux, consider turning off the “history” feature in Bash and other programs, because your command history often reveals passwords or other confidential data.
  • Consider using two-factor authentication so that stolen passwords alone are not enough for a crook to log in as you.


(Audio player above not working? Download MP3 or listen on Soundcloud.)

NB. To make sure that your Firefox is patched, go to Firefox | About Firefox and click [Check for updates]. Firefox on Android is not affected because it does not include the PDF.js viewer.