Critical Firefox Update Today

Published: 2015-08-07
Last Updated: 2015-08-07 15:43:45 UTC
by Tony Carothers (Version: 1)
3 comment(s)

The good folks at Firefox have released their latest version, 39.0.3, in response to vulnerability  CVE-2015-4495, which has been seen in the wild and allows an attacker to read and steal sensitive local files.  The vulnerability takes advantage of the interaction between the JavaScript context separation and the PDF Viewer.  The exploit works by injecting a JavaScript payload into the local file context, which allows it to search and upload local files.  Mozilla products that do not contain the PDF viewer are not vulnerable, as well as Mac systems.


**NOTE**: This exploit has been seen in the wild, and leaves no trace it has run on the local machine.  The exploit description described in greater detail at the Mozilla Security website gives additional details on what files are currently being targeted. As with any updates being deployed into the enterprise, we highly recommend testing updates for impact before deployment, and ensure all configuration and change control requirements are maintained.

tony d0t carothers --gmail

3 comment(s)

Comments

Basically, if you are a web developer and use Firefox, change your passwords and ssh certificates.

The exploit is targeted at people who access websites for development and maintenance.
This bug does not only allow to read any local file, but also to (over)WRITE local files, and can thus be (ab)used to execute arbitary code, leading to RCE.
Anyone know of which IPs/URL it's would have been hitting?
Can't find anything in the write-ups that would allow admins to check.
Diary Archives