Firefox Security Exploit Targets Linux Users and Web Developers

Through the years, Firefox has enjoyed a reputation as one of the most secure Web browsers on any platform, and it's the default browser for many Linux distros. However, a security exploit appeared this week that has shown users they can't afford to be complacent about security. Mozilla has rushed to patch the flaw, and a new release has closed the hole (39.0.3). But, plenty of users still haven't updated their browsers.

The exploit comes in the form of malicious code hidden within an apparently innocuous ad. The code runs when the user visits the site and leaves no traces that it was active. It scans the victim's computer for sensitive files and uploads them to a server in the Ukraine.

The current version of the exploit seems to be targeted at Web developers and administrators. It searches for files containing sensitive information that will allow the Ukrainian cyber-criminals to gain access to Web servers and Amazon Web services accounts.

With the credentials to access these remote servers, an attacker would have an almost unlimited array of options. They could deface a Web site, install malware to attack the site's users, steal client databases and much more.

The search is extremely thorough, ransacking the victim's machine searching for the following:

  • Configuration files for eight different FTP programs.
  • Configuration files for Remmina (a remote desktop app).
  • SSH config files and private/public key.
  • .bash_history (a list of the most terminal commands a bash user has executed).
  • .mysql_history and .pgsql_history (which contain information that could be used to attack a remote database).
  • s3browser files (s3browser is an app used to access Amazon cloud storage).
The malicious code recognizes the user's operating system and looks in the appropriate directories. It can adapt itself to Windows, Linux and Mac.

With criminals gaining the ability to corrupt popular Web sites, the risk extends far beyond the initial victims. The fallout from the first wave of attacks could potentially harm all the users who visit infected sites, so it's extremely important to close the security hole that makes the attack possible in the first place.

Although the current version of the exploit targets Web developers, the same method easily could be used to scan a normal user's computer for sensitive personal data. Even though we all know it's a bad idea to store sensitive information in an unencrypted form on our computers, plenty of users do exactly that. And even password-encrypted files can be cracked given enough time and computing power.

The exploit was made possible by an inconsistency between JavaScript same-origin policy and Firefox's interface with the PDF reader. This meant that malicious scripts were able to bypass the normal protections and run in a local file context, providing access to the user's filesystem.

Fortunately, protecting yourself from this current exploit is as easy as updating to the latest version of Firefox.