Skip to content
Naked Security Naked Security

Firefox zero-day hole used against Windows and Linux to steal passwords

Poisoned ads have been helping to siphon off passwords from Windows and Linux computers in an attack apparently aimed at developers.
Written by
August 07, 2015
Naked Security Exploit Firefox PDF PDF.JS vulnerability

These days, Firefox updates usually just happen and you don’t think too much about them.

You probably think about updates even less if they cover only the so-called “lesser vulnerabilities“, and not remote code execution (RCE) holes.

RCE is where a crook can implant malware on your computer without you noticing, and certainly without you getting any OK/Cancel popups where you might otherwise head off trouble.

But even “lesser” vulnerabilities can cause what are known as information disclosures – security holes that in their most serious form lead to data or even identity theft.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Critical update

Data theft is just what Mozilla warned about in a blog post published on 06 August 2015, when it announced a critical update for Firefox.

→ Make sure you have 39.0.3 if you use the regular version, or ESR 38.1.1 if you stick to the Extended Support Release. (Version numbers correct at 2015-08-07T21:00Z.)

The security hole is in Firefox’s very handy built-in PDF viewer, known colloquially as PDF.js because it is actually implemented inside the browser as a JavaScript program. (No plug-in is required.)

The bug doesn’t allow an attacker to run arbitrary executable code, so it can’t be used to implant malware.

But it does allow a crook to feed JavaScript into your browser from outside and run it as if you’d loaded it locally.

So, even though the attacker can’t sneakily download malicious files from his site onto your computer, he can upload files off your computer onto his server without asking.

In other words, the bug allows crooks to steal critical data from your computer without any obvious sign that it’s happening.

Bypassing the Same Origin Policy

As you probably know, a security feature called the Same-Origin Policy (SOP) in your browser is supposed to prevent JavaScript from site X from accessing private data belonging to site Y.

And if JavaScript from one web page shouldn’t be able to access data from other web pages, it certainly shouldn’t be able to access local files stored on your hard disk.

But in this exploit, local files can be sneakily retrieved and exfiltrated.

Worse still, according to Mozilla, the bug was noticed because crooks started exploiting it.

A poisoned ad that appeared on a Russian news site was apparently used to go after the sort of password and configuration files that you might expect developers to have.

Windows and Linux attacked

Mozilla claims that the booby-trapped ad network attempted to kick off a veritable data harvesting feast.

On Windows, the crooks went for:

  • Subversion, s3browser, and Filezilla configuration files. These are source code repositories, where developers keep their intellectual property.
  • Account information for Psi+ and Pidgin. Instant messaging clients that developers might use for chatting and transferring files.
  • Configuration data for eight different FTP clients. FTP, or its secure cousin SFTP, is often used for file uploads and downloads to and from file repositories and content management systems.

On Linux, the crooks went for:

  • Global configuration files such as /etc/passwd. The passwd file no longer stores actual passwords but it lists all user accounts on the computer.
  • Files in user’s home directories such as .bash_history, .mysql_history and .ssh files including private keys. Stealing your SSH keys could allow a crook to log directly into all the servers you use regularly.
  • Text files with names containing pass or access. These may contain plaintext secrets such as passwords.
  • All shell scripts. These may contain passwords or other confidential information that is needed to automate access to secure systems and services.

In short, the crooks were after data they could use in order to come back later at their leisure and suck up critical information from far and wide across your network.

(If they didn’t want to come back themselves, they probably hoped to make a tidy sum selling your secrets on to someone who did.)

What to do?

  • Update Firefox immediately.
  • Consider changing any passwords that may have been exposed in the files mentioned above. (See Mozilla’s blog for a more precise list.)
  • On Linux, consider turning off the “history” feature in Bash and other programs, because your command history often reveals passwords or other confidential data.
  • Consider using two-factor authentication so that stolen passwords alone are not enough for a crook to log in as you.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

NB. To make sure that your Firefox is patched, go to Firefox | About Firefox and click [Check for updates]. Firefox on Android is not affected because it does not include the PDF.js viewer.

About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

10 Comments

One other thing to note: the recent attack could be prevented by the use of some ad blocking plugins, due to blocking the ad network that was used to inject the malicious script.

Though that’s not a generic protection against the PDF.js flaw. (Also, it would depend on whether your ad blocker knew about the ad network that was exploited.)

Wouldn’t deleting Java eliminate this problem

No…this is down to JavaScript, which is quite different (despite the similarity in name).

Here’s more:

https://nakedsecurity.sophos.com/2013/01/16/java-is-not-javascript-tell-your-friends/

Would this affect all Firefox browser installations no matter if other PDF plugins were installed to view PDF files in Firefox nor not?

If FoxIt Reader was installed and FoxIt Reader was configured as the default Firefox PDF viewer, would this Firefox installation still be vulnerable?

The installation would technically be vulnerable because the buggy code would remain and would run if ever your PDF plugin was turned off, or overridden.

Tut Tut The shame.
So there has to be a way to extract PDF.js from the browser whether its a ‘plug-in’ or not by manipulating the integrated coding or its behaviour by using a plug-in like grease monkey or the likes?

https://addons.mozilla.org/EN-us/firefox/addon/greasemonkey/

Come on Mozilla, Ye should know better, once the bug has been exploited an immediate plan of action should be in place, Patch, and update stat. I strongly believe Patches/Updates for these Bugs/Exploits should be mandatory an forced to avoid further adversities and for the love of all your fans, Extract all PDF.JS’s coding, design, and implement in the form of a ‘Plug-in’ So that users have the choice of disabling or Un-installing in the event of these malicious/sinister catastrophes.

Er, the main point of the article was to point out that Mozilla *did* release an update (and publicised its importance) “stat,” as you would have it.

(“Stat” is medical jargon, short for the Latin word “statim” meaning “immediately, now”.)

And you can turn off PDF.js if you like. Go to about:config and change pdfjs.disabled to true.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?