New vulnerability found in Firefox

New exploit exploits vulnerability in Firefox that allows users to obtain information from user accounts on their local machines.

On August 6th, it was posted by Daniel Vedtiz on the Mozilla blog about a new

vulnerability. Follow here at Diolinux to unveil this story.

New vulnerability found in Firefox

New news that deserves everyone's attention, that on August 5, a Firefox user informed the community that an ad on a Russian news site was distributing an exploit for Firefox that was looking for vulnerable files and uploaded them to a server that appears to be in Ukraine. On the morning of August 6, Mozilla released security updates that address the vulnerability. All Firefox users are advised to upgrade Firefox to version 39.0.3. The fix has also been incorporated into Firefox ESR 38.1.1.

This vulnerability in Firefox allows users to get account information on their local machines.

The installation process of the simple update is well explained on the Mozilla Propri page as can be seen below.

Hover over the image to read the translation of steps 1 – 3 on how to update Firefox.

The vulnerability comes from the interaction of the mechanism that is the context separation of JavaScript and the Firefox PDF Viewer. Mozilla products that do not contain PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability did not enable arbitrary code execution, but the exploit was able to inject a JavaScript payload into the local file. This allows searching and uploading local files that are potentially vulnerable.

The exploit leaves no trace on the local machine it passed. More details about the exploit. For this reason Mozilla strongly warns you to download the patch update that came out too fast (in less than a day, congratulations to the community)


See an error or would you like to add any suggestions to this article? Collaborate, click here. No Submissions shared by the author.