Zero-Day Attack on Firefox Users Stole Password and Key Data: Patch Now!
A website in Russia has been caught exploiting a serious zero-day vulnerability in Mozilla’s Firefox browser, prompting the open-source developer to deliver an emergency update that fixes the flaw.
The attack targeting Windows users appeared to go after files of interest to software developers. The targeted data included subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. Firefox users running Apple’s OS X weren’t targeted. The exploit was served in an advertisement on an undisclosed Russian news site, but Veditz said he couldn’t rule out the possibility that other sites also hosted the attack. Some of those may have targeted Macs in addition to Windows and Linux.
“The exploit leaves no trace it has been run on the local machine,” Veditz wrote. “If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.”
Mozilla has issued an emergency update patching the vulnerability. Users should check their version of Firefox to make sure they’re running version 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.