Malicious ad can steal users’ local files on Firefox

Heads up, Firefox users — Mozilla is urging you to update your browser post-haste, after a rogue advertisement on a Russian news site was found to be exploiting a vulnerability that compromised Firefox users’ local files.
 
“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer,” explained Mozilla’s security head, Daniel Veditz, in a blog post.
 
In effect, the attacker was able to circumvent Firefox’s security and inject a malicious script that searched for key files on a user’s machine and then uploaded them to a remote server, thought to be located in the Ukraine. This would’ve applied to anyone loading the page with the exploit on it — and the exploit left no trace, according to Mozilla.
 
The issue was reported on Wednesday, August 5, with a security update issued yesterday. While Mozilla says only Windows and Linux users were apparently targeted, the malware could easily be adapted for Mac users too — so everyone is encouraged to update to the latest version.
 
Even if you haven’t visited the Russian news site in question, it’s not known whether the ad has been deployed elsewhere. Firefox for Android, and other Mozilla products that don’t sport the built-in PDF Viewer, are not affected.
 
While ad-blocking is still frowned upon by many, this latest incident could provide people with added justification for using ad-blocking software on their computers.
 
News Source: VentureBeat