Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Security

Mozilla Issues Fix For Firefox Zero-Day Bug 115

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."
This discussion has been archived. No new comments can be posted.

Mozilla Issues Fix For Firefox Zero-Day Bug

Comments Filter:
  • External PDF viewer? (Score:4, Interesting)

    by maugle ( 1369813 ) on Friday August 07, 2015 @10:55AM (#50269619)
    Since this exploit uses an interaction between javascript and Firefox's built-in PDF viewer, it sounds like this doesn't affect people running NoScript. But what about people who don't use the built-in PDF viewer? e.g., if clicking on a PDF file opens the usual "download/open file" dialog, will the exploit still work?
    • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Friday August 07, 2015 @11:02AM (#50269673)

      Why does a Web browser have a built-in PDF viewer in the first place?

      A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

      • by Anonymous Coward

        Because Chrome has one.

      • Re: (Score:2, Informative)

        by mlts ( 1038732 )

        It is a tough choice. Build in your own PDF viewer, or use an existing one that pops up security holes now and then. In general, the built in ones have far fewer features, so there are fewer security holes.

        Chrome is better at this because it does more compartmentalization than Firefox. Firefox runs plugins in a separate process, but that is about the extent of the isolation they get, while Chrome runs everything in separate tasks, and you can even kill them in the browser.

        The only real long term solution

        • Or set your browser to download (or at least prompt) the PDF instead of automatically executing the PDF with any software. That way, a PDF you choose to look at can still work fine, but a drive-by exploit attempt will have another speedbump to get past.

        • That, and focus on not requiring third-party programs for Web content.

          But will web content ever remain static long enough for browser standards to keep pace? Mozilla tied itself up in knots over H.264 long after it had eclipsed all other contenders for HD video support.

      • Who do you trust more to create software with less security holes: Google or Adobe?

        • Sorry, was responding to wrong person but you can just switch Google with Mozilla. Mozilla has their share of software issues, for sure, but nothing even remotely bad as Adobe's track record.

      • by phantomfive ( 622387 ) on Friday August 07, 2015 @12:39PM (#50270411) Journal
        Because it's convenient. Because users like that feature. Those are the reasons.

        is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

        If enough web links go directly to that type of file, then they might. For the same reasons.

      • by Lennie ( 16154 ) on Friday August 07, 2015 @01:33PM (#50270769)

        Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.

        If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.

      • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Friday August 07, 2015 @03:03PM (#50271199) Homepage Journal

        Why does a Web browser have a built-in PDF viewer in the first place?

        Because just as text/html is a commonly used media type on the web, so is application/pdf. Having a PDF viewer written in JavaScript contributes to the Downloads folder not being quite as littered. And because not only is JavaScript inherently less subject to accidental "undefined behavior" than the C++ in which I assume Adobe implemented its Reader, but also has Mozilla shown itself to be more responsive than Adobe to security issues. That's also why Mozilla has been working on Shumway, its SWF player.

        Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?

        Anyone who wants to write a JavaScript viewer for those formats is free to do so.

      • by bedouin ( 248624 )

        The first browser that allowed PDFs to be displayed inline without a plugin was Safari since its beta stages. That's because OS X has had the ability to display PDFs built in to it since its Nextstep days. So, it all stems from a desire to duplicate a feature in Safari that was actually a native feature of OS X . . .

      • because for some ungodly reason documents that people put online are sometimes in PDF format and it's nice to be able to open them with just a click on the link rather than the download/open another app method.
    • From hacker's news, it seems this exploit is in PDF.js. If you're not running PDF.js, there's no security hole.

  • by Anonymous Coward

    I told you I told you I told you. Seriously go back to when it was announced on slashdot and i very specifically said this will be nothing but an additional attack vector.
    As soon as i updated to the version which had it i immediately set it to never activate knowing this would happen eventually and have never used it since.

  • Without Firefox, I don't think I could actually ENJOY the internet anymore. No other browser allows you to tame the net like Firefox and the world of plugins that have been written.
  • by chasm22 ( 2713399 ) on Friday August 07, 2015 @02:00PM (#50270925)

    "The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "

    It's taken from the blog about the exploit and doesn't seem to be drawing much attention.

  • Just checked, my Firefox says it is versoin 39.0 - no third number (39.0.3), and the application itself says it is "up to date".
    Would think that they'd include the full version-number in the About box (the place they say to go to check for updates), just so users can be 100% certain they are using the right one :/

    • by twosat ( 1414337 )

      Just did the same, with the same result.

      • There does appear to be a problem with the manual update set up. I ended up proceeding as if I were doing a fresh install: go to https://www.mozilla.org/en-US/... [mozilla.org] to download the installer and run it. When you do, and restart Firefox, About will in fact say 39.0,3.
      • by twosat ( 1414337 )

        Further to my post, a message balloon popped up about an hour ago saying that the update was available. I tried the same thing with the same result as before. Then, I thought that maybe it was something to do with me running as a Limited User, so I right-clicked the Firefox icon and chose the "Run as administrator" option. I logged in, Firefox promptly started up and I successfully updated from there.

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...