Pinterest Stumbleupon Whatsapp
Advertisement

Attention, Mozilla Firefox users. You need to fire up your browser on your computer and download the latest version right now. Mozilla has issued a critical update that fixes a security flaw, which could let hackers steal files from your hard drive.

Apparently, an advertisement on a Russian web site served an exploit that injected a Javascript payload 3 Ways JavaScript Can Breach Your Privacy & Security 3 Ways JavaScript Can Breach Your Privacy & Security JavaScript is a good thing for the most part, but it just happens to be so flexible and so powerful that keeping it in check can be difficult. Here's what you need to know. Read More to search and upload sensitive files from your PC to Ukraine-based servers.

What You Need to Do

Firefox-about-update

  1. Start Firefox. (Windows users, enable your Menu Bar by right-clicking on the settings icon)
  2. In menu, go to Help > About Firefox or File > About Firefox, depending on your OS
  3. Firefox will automatically start checking for the update and install it
  4. Click Restart Firefox to Update
  5. Go back to About Firefox and check that you are running v39.0.3

If that doesn’t work for whatever reason, then download the latest Firefox version for your operating system and install it.

What Else You Need to Do

change-passwords

Alarmingly, Firefox said that the exploit does not leave any traces on the machine, so if your computer was affected, there is no way to know. Accordingly, Mozilla advises changing your passwords and keys for programs and files associated with the following:

Advertisement

On Windows: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients

On Linux: global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts

Like with most hacks and exploits, we advise changing all your passwords locally and for online services. This is yet another good reason to install a program like DashLane, which automatically changes passwords across services How To Automatically Change Passwords With New LastPass And Dashlane Features How To Automatically Change Passwords With New LastPass And Dashlane Features Every few months, we hear of a new security vulnerability that requires you to change your password. It's tiresome, but now Password management apps are adding tools to automate this task, saving you time. Read More .

Why This Is Urgent

Urgent

“All Firefox users are urged to update to Firefox 39.0.3,” the company wrote on their blog.

According to Firefox, the exploit in question allows someone to “violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim’s computer.”

Since it was restricted to the built-in PDF viewer in Firefox This Is Why You Don't Need Adobe Reader This Is Why You Don't Need Adobe Reader Adobe Reader is bloated, slow, and a liability. In short, it's unnecessary. Do you need a PDF Reader at all? We show you how to open PDF files without Adobe Reader. Read More , it only affected the desktop version of the browser and not Firefox Mobile, which does not have that feature.

Who Might Be Safe

There is no guarantee that anyone is safe, but based on Firefox’s disclosures, a few types of users may not be affected. Still, as a precautionary measure, we recommend you enact the aforementioned steps.

Mac Users: Mozilla noted that it had not found any evidence that Mac users were targeted by this exploit, but the vulnerability existed nonetheless.

Ad-Block Users: We don’t recommend using ad-blockers It's About Ethics in Stealing Games Journalism: Why AdBlock Needs to Die It's About Ethics in Stealing Games Journalism: Why AdBlock Needs to Die A simple, free browser plugin killed Joystiq – and is ruining the Internet. Read More , but in this case, it might have saved some users from the exploit, since it was being served through ads.

Other Browser Users: If you aren’t using Firefox, then don’t worry. You’re safe. Carry on.

Why Are Other Browsers Safe?

other-browsers-safe

Look, no browser is completely safe and such exploits continue to happen. That said, this particular exploit would not have been possible on Google Chrome or the new Microsoft Edge because of a simple reason: full security sandboxing What's A Sandbox, And Why Should You Be Playing in One What's A Sandbox, And Why Should You Be Playing in One Highly-connective programs can do a lot, but they're also an open invitation for bad hackers to strike. To prevent strikes from becoming successful, a developer would have to spot and close every single hole in... Read More .

While it uses basic sandboxing, Firefox does not fully isolate itself from the operating system. As The How-To Geek explains, Chrome, IE, Edge and others run browser processes with as few user permissions as possible. Think of it as concentric circles:

chrome-firefox-sandboxing

As this diagram shows, with Firefox, an exploit has to get through Firefox and it reaches the operating system. With Chrome or IE, it needs to get through the browser, and then additionally get through the “sandbox” that separates it from the operating system. That means the exploit needs to target two vulnerabilities, not one—not an easy task.

Things like this have made some people say Firefox is the least secure browser.

Should You Not Use Firefox?

should-you-use-firefox

It’s not that simple. Chester Wisniewski, senior security adviser for Sophos, told CSO Online that sandboxes are a useful tool to thwart attacks, but not a requirement to be safe to browse with. Wisniewski himself uses Firefox as his personal browser.

In its latest version, Firefox blocks Flash by default Die Flash Die: The Ongoing History of Tech Companies Trying to Kill Flash Die Flash Die: The Ongoing History of Tech Companies Trying to Kill Flash Flash has been in decline for a long time, but when will it die? Read More , as the add-on has often proven to be the gateway for exploits.

Mozilla should also be commended for the quick action it took. They found out about the exploit on the morning of August 5, and worked quickly to release the critical update the next day itself. As a user, it’s good to know that the company acts fast to fix flaws.

Will You Continue to Use Firefox?

While sandboxing makes the other browsers safer, Mozilla has said it is working on proper sandboxing too. Plus, it has several add-ons to guard your privacy and security Completely Secure: 11 Must-Have Firefox Addons For Security Completely Secure: 11 Must-Have Firefox Addons For Security Think about the browser you're using to view this article right now. Is it safe? Is it secure? You'd be surprised by those answers. Read More .

In the end, using Firefox is a personal choice. Still, after this recent exploit, will you continue to use Firefox? Let us know in the comments.

Image Credits: geralt / Pixabay, Junior Gomes / Freeimages, geralt (2) / Pixabay, geralt (3) / Pixabay, Evan Lorne / Shutterstock.com

Leave a Reply

Your email address will not be published. Required fields are marked *