Firefox users should update immediately

“Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine,” Daniel Veditz reports via the official Mozilla Security Blog.

“This morning Mozilla released security updates that fix the vulnerability,” Veditz reports. “All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.”

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable,” Veditz reports. “The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.”

Read more in the full article here.

MacDailyNews Note: More info and download link for the Firefox update here.

13 Comments

  1. That is just frigging fantastic! FireFox ESR 31.8.0 is installed on my computer and updates are disables by my system administrator!

    Fortunately, I almost exclusively use Safari. Over time, the frequency with which I run into non-standard websites that will not load in Safari has significantly decreased. Safari generally works well even when I receive a warning message that it may not.

    Someday all of that legacy Microsoft non-standard HTML and reliance on Flash and such will completely disappear, and that will be good.

    1. Indeed, the linked article only describes what happens on Win and Linux… Apple or Mac OX X is not mentioned.

      As of Aug. 09, my copy was version 39.0, and claimed to be up-to-date, updated on Aug. 08. (The vulnerabality was published Aug. 05, and the fix with version 39.0.3 was offered Aug. 06)

      However, the current version for Mac OS X downloadable directly (not via the built-in autoupdate) is 39.0.3.

      1. Correction. There’s one sentence stating that “Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.”

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.