0-day attack on Firefox stole sensitive data and password

Mozilla released the version 39.0.3 Firefox to patch a critical 0-day vulnerability that has been exploited in the wild.

A zero-day vulnerability in Mozilla FireFox was reported on Wednesday to the company. A user noticed that an ad displayed on a Russian news website was serving an a malicious code. The exploit discovered by the user was developed to siphon sensitive files on the infected system. The exploit is very insidious, it was developed to avoid leaving traces on the targeted system.

“Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine” Mozilla wrote in a blog post.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy’) and Firefox’s PDF Viewer”.

The flaw resides in the PDF viewer, for this reason it does not affect Firefox for Android and other Mozilla products that don’t contain the viewer component. Mozilla confirmed that the attack spotted in the wild has been targeting certain types of files hosted on Windows and Linux systems.

The experts explained that the vulnerability, coded as CVE-2015-4495,which was reported by researcher Cody Crews, cannot be exploited to execute arbitrary code.

The flaw could be exploited to inject a JavaScript payload into the local file context. In the attack uncovered by the researchers the threat actor leveraged the vulnerability to exfiltrate local files.

At the time I was writing there is no news of the attacks against Apple devices, Mozilla clarified that Mac systems could be also targeted because the payload can be adapted.

Which are the files the malware is looking for?

“On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd,  and then in all the user directories it can access it looks for.bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. ” states Mozilla.

Mozilla doesn’t exclude that the exploit was deployed also on other websites, not necessarily news website.

Firefox for both Windows and Linux users urge to change passwords and keys contained in the files targeted by the attackers.

Fortunately, ad-blocking software could allow to mitigate this kind of attacks

The vulnerability has been already patched by Mozilla that released the version 39.0.3 Firefox and Firefox ESR 38.1.1. Don’t waste time, update your version now!

Pierluigi Paganini

(Security Affairs – zero -day, Mozilla Firefox)