by Swapnil Bhartiya

Firefox zero-day hole found, exploited: Update now

Aug 07, 2015
Open SourceSecurity

Go update Firefox. Then come back and read this story. No, really, I mean it.

A new security hole is exposed in Firefox browser, which they have already patched and for which they have released an update. The organization wrote in a blog post,  “Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.”

No software is bug free – whether open source or proprietary – and there can always be security holes. The big difference comes from transparency and promptness in patching such holes. We have seen cases with Microsoft Windows and Mac OS X where the security teams informed the companies of security holes and they didn’t patch them for months – leaving such systems to be exploited.

That’s not the case with open source. Here, patches are released in matter of hours and not months or years.

As I said before, there can be bugs in any software, and in this case a bug in the built-in PDF reader allowed an attacker to read and steal ‘sensitive’ local files on a user’s computer.

The attack was targeted at Linux and Windows users, leaving out Mac OS X users — this time. Just because the attacker didn’t target Mac OS X doesn’t mean Mac users shouldn’t care. The number of exploits found on Mac OS X and iOS are increasing so it’s unwise not to update Firefox.

The attackers went after “the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with ‘pass’ and ‘access’ in the names, and any shell scripts,” wrote Daniel Veditz of Mozilla.

In the case of Windows, attackers “looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients,” he added.

So if you are on any of these three platforms, you must update Firefox immediately (you can finish this story later). And Linux and Windows users must change passwords and ssh keys if you used any of these programs.

I commend Mozilla for how quickly it responded to the exploit. Compare that to Microsoft where the company takes issue with Google ‘disclosing’ the hole after the three months deadline passes instead of actually fixing the bug itself. Apple is no different, they take years to patch some holes.

That’s why I use open source.