Firefox issued an update for its browser after it was discovered that a vulnerability that allows a violation of the same origin policy and injects a script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim’s computer. Mark James, Security Specialist at IT Security Firm ESET, commented on the issue in firefox browser.
Mark James, Security Specialist at IT Security Firm ESET :
How bad is this exploit?
“This exploit is classed as “Critical” by Mozilla themselves so that gives an indication of how bad it actually is. It allows an attacker to read and steal sensitive files stored on the victims computer, it could then send that data elsewhere for its own malicious use that could include identity theft, targeted phishing attacks or simply use that data for access to other private or financial websites.”
How much are hackers likely to use this exploit to steal data?
“Reports suggest that this exploit is already being used in the wild so it is ultra-important it is fixed and updated as quickly as possible. Mozilla have reported that its fixed in Firefox 39.0.3 and ported to its extended support release – Firefox ESR 38.1.1”
What other things could hackers do with this exploit?
“The exploit is able to inject a JavaScript payload into the local file context that enables it to find and upload possibly sensitive files. These files could come from a windows or a Linux platform, Mac users are not affected by this particular vulnerability.”
Are any other browsers at risk?
“This particular exploit only affects Firefox’s PDF viewer and thus any browsers that do not include this, such as the Android version, are not vulnerable.”
What should organisations do to protect themselves from the risk?
“Make sure their versions of Firefox are always kept up to date, ensure their operating systems and any security software are also on the latest versions and updating regularly and use a good Anti-Virus or internet security software to help keep them safe.”[su_box title=”About ESET” style=”noise” box_color=”#336588″]ESET is a pioneer of proactive protection against cyber threats with its award-winning NOD32 technology. Daily, it protects over 100 million computers, laptops, smartphones, tablets and servers, no matter the operating system. ESET solutions for home and business segment deliver a continual and consistent level of protection against a vast array of existing and emerging threats.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.