Update Firefox; vulnerability could allow access to files

Monday, August 10, 2015

8/11/15 update: For instructions for updating Firefox, see Update Firefox to the latest version (Mozilla Support).

This information was sent to U-M IT staff groups August 10, 2015.

This message is intended for U-M IT staff who are responsible for university machines running the Mozilla Firefox web browser, as well as for individuals who manage their own computers and use Firefox.

Summary

A vulnerability has been discovered in Mozilla Firefox's built-in PDF viewer. This vulnerability is being exploited in the wild. Successful exploitation of this vulnerability results in an attacker being able to read and steal local files on the victim's computer. The most recent version of Firefox fixes the vulnerability.

Threats

Mozilla has indicated that this vulnerability is being actively exploited in the wild.

Affected Systems

Mozilla Firefox versions prior to 39.0.3
Firefox ESR versions prior to 38.1.1. Firefox ESR is a version of the web browser intended to be deployed in large organizations; it is the version deployed by MiWorkspace.

Action Items

MiWorkspace machines will be updated this week.
If you manage U-M machines for users, ensure that Firefox is updated to the most recent version.
Individuals who manage their own computers should update to the latest version of Firefox.

Technical Details

A vulnerability has been discovered in Mozilla Firefox's built-in PDF viewer that may allow an attacker to view and steal sensitive files on a victim's computer. This exploit occurs by injecting a JavaScript payload into the local file context, which allows the script to search for and upload potentially sensitive local files belonging to the user. This vulnerability can be exploited in the background when a user visits a specially crafted webpage with the exploit code embedded. The exploit specifically looks for FTP configuration files, subversion, s3browser, Filezilla, libpurple and other account information on a Windows system and for global configuration files and user directories on a Linux system.

Information for Users

MiWorkspace machines with Firefox will be updated this week. If you have Firefox installed on your own devices that are not managed by the university, please update to the latest version of Firefox. Always keep your software and apps up-to-date for the most secure versions.

Questions, Concerns, Reports

Please contact [email protected].

References

Mozilla Foundation Security Advisory 2015-78 (Mozilla, 8/6/15)
Firefox exploit found in the wild (Mozilla Security Blog, 8/6/15)
Warning! Update Mozilla Firefox to Patch Critical File Stealing Vulnerability (The Hacker News, 8/7/15)
MS-ISAC Cyber Security Advisory: Update Firefox for security vulnerability (8/7/15)
Mozilla urges users to update Firefox with file stealing exploit in wild (ZDNet, 8/7/15)
CVE-2015-4495