Daily Archives: August 7, 2015

Mozilla Releases Critical Firefox Security Updates

Yesterday Mozilla made available unscheduled security updates for Firefox 39 and Firefox ESR (Extended Support Release) 38.1. Firefox 40 is currently scheduled to be released on the 11th of August.

These updates resolve 1 critical CVE (CVE, defined) in both versions of Firefox mentioned above. A security researcher responsibly disclosed this issue to Mozilla. The issue involves violating the same origin policy of a web browser (where objects such as cookies and JavaScript data objects can only be read from/by the website that created them) in order to inject script into Firefox’s built in PDF viewer.

The injected JavaScript could be used to steal files from the victim’s computer. The files being targeted by attackers were application developer focused e.g. applications such as Subversion and FileZilla (a popular FTP client). On Linux credentials and potentially confidential information was targeted from directories such as /etc/passwd, .mysql_history and SSH configuration files among others. Further details of this attack as well as further recommendations from Mozilla if you use the affected applications are provided in this Mozilla Security blog post.

Since Mozilla has received information that this issue is being exploited in the wild, their decision to release updates immediately rather than waiting for the next scheduled release of Firefox to address this issue is to be commended.

Further details of these updates are available for Firefox 39.0.3 and Firefox ESR 38.1.1. Details of how to install updates for Firefox are here. Mozilla Firefox updates generally install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.