ALERT: Update Firefox; vulnerability could allow access to files
8/11/15 update: For instructions for updating Firefox, see Update Firefox to the latest version (Mozilla Support).
This information was sent to U-M IT staff groups August 10, 2015.
This message is intended for U-M IT staff who are responsible for university machines running the Mozilla Firefox web browser, as well as for individuals who manage their own computers and use Firefox.
A vulnerability has been discovered in Mozilla Firefox's built-in PDF viewer. This vulnerability is being exploited in the wild. Successful exploitation of this vulnerability results in an attacker being able to read and steal local files on the victim's computer. The most recent version of Firefox fixes the vulnerability.
- Mozilla Firefox versions prior to 39.0.3
- Firefox ESR versions prior to 38.1.1. Firefox ESR is a version of the web browser intended to be deployed in large organizations; it is the version deployed by MiWorkspace.
- MiWorkspace machines will be updated this week.
- If you manage U-M machines for users, ensure that Firefox is updated to the most recent version.
- Individuals who manage their own computers should update to the latest version of Firefox.
Mozilla has indicated that this vulnerability is being actively exploited in the wild.
Information for Users
MiWorkspace machines with Firefox will be updated this week. If you have Firefox installed on your own devices that are not managed by the university, please update to the latest version of Firefox. Always keep your software and apps up-to-date for the most secure versions.
Questions, Concerns, Reports
Please contact email@example.com.
- Mozilla Foundation Security Advisory 2015-78 (Mozilla, 8/6/15)
- Firefox exploit found in the wild (Mozilla Security Blog, 8/6/15)
- Warning! Update Mozilla Firefox to Patch Critical File Stealing Vulnerability (The Hacker News, 8/7/15)
- MS-ISAC Cyber Security Advisory: Update Firefox for security vulnerability (8/7/15)
- Mozilla urges users to update Firefox with file stealing exploit in wild (ZDNet, 8/7/15)