Pinterest Stumbleupon Whatsapp
Ads by Google

Attention, Mozilla Firefox users. You need to fire up your browser on your computer and download the latest version right now. Mozilla has issued a critical update that fixes a security flaw, which could let hackers steal files from your hard drive.

Apparently, an advertisement on a Russian web site served an exploit that injected a Javascript payload 3 Ways JavaScript Can Breach Your Privacy & Security 3 Ways JavaScript Can Breach Your Privacy & Security JavaScript is a good thing for the most part, but it just happens to be so flexible and so powerful that keeping it in check can be difficult. Here's what you need to know. Read More to search and upload sensitive files from your PC to Ukraine-based servers.

What You Need to Do

Firefox-about-update

  1. Start Firefox. (Windows users, enable your Menu Bar by right-clicking on the settings icon)
  2. In menu, go to Help > About Firefox or File > About Firefox, depending on your OS
  3. Firefox will automatically start checking for the update and install it
  4. Click Restart Firefox to Update
  5. Go back to About Firefox and check that you are running v39.0.3

If that doesn’t work for whatever reason, then download the latest Firefox version for your operating system and install it.

What Else You Need to Do

change-passwords

Alarmingly, Firefox said that the exploit does not leave any traces on the machine, so if your computer was affected, there is no way to know. Accordingly, Mozilla advises changing your passwords and keys for programs and files associated with the following:

Ads by Google

On Windows: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients

On Linux: global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts

Like with most hacks and exploits, we advise changing all your passwords locally and for online services. This is yet another good reason to install a program like DashLane, which automatically changes passwords across services How To Automatically Change Passwords With New LastPass And Dashlane Features How To Automatically Change Passwords With New LastPass And Dashlane Features Every few months, we hear of a new security vulnerability that requires you to change your password. It's tiresome, but now Password management apps are adding tools to automate this task, saving you time. Read More .

Why This Is Urgent

Urgent

“All Firefox users are urged to update to Firefox 39.0.3,” the company wrote on their blog.

According to Firefox, the exploit in question allows someone to “violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim’s computer.”

Since it was restricted to the built-in PDF viewer in Firefox This Is Why You Don't Need Adobe Reader This Is Why You Don't Need Adobe Reader Adobe Reader isn’t just unnecessary – it has a history of being an application you wouldn’t want on your system. From being extremely heavy and slow to having a long series of security flaws, Adobe... Read More , it only affected the desktop version of the browser and not Firefox Mobile, which does not have that feature.

Who Might Be Safe

There is no guarantee that anyone is safe, but based on Firefox’s disclosures, a few types of users may not be affected. Still, as a precautionary measure, we recommend you enact the aforementioned steps.

Mac Users: Mozilla noted that it had not found any evidence that Mac users were targeted by this exploit, but the vulnerability existed nonetheless.

Ad-Block Users: We don’t recommend using ad-blockers It's About Ethics in Stealing Games Journalism: Why AdBlock Needs to Die It's About Ethics in Stealing Games Journalism: Why AdBlock Needs to Die A simple, free browser plugin killed Joystiq – and is ruining the Internet. Read More , but in this case, it might have saved some users from the exploit, since it was being served through ads.

Other Browser Users: If you aren’t using Firefox, then don’t worry. You’re safe. Carry on.

Why Are Other Browsers Safe?

other-browsers-safe

Look, no browser is completely safe and such exploits continue to happen. That said, this particular exploit would not have been possible on Google Chrome or the new Microsoft Edge because of a simple reason: full security sandboxing What's A Sandbox, And Why Should You Be Playing in One What's A Sandbox, And Why Should You Be Playing in One Highly-connective programs can do a lot, but they're also an open invitation for bad hackers to strike. To prevent strikes from becoming successful, a developer would have to spot and close every single hole in... Read More .

While it uses basic sandboxing, Firefox does not fully isolate itself from the operating system. As The How-To Geek explains, Chrome, IE, Edge and others run browser processes with as few user permissions as possible. Think of it as concentric circles:

chrome-firefox-sandboxing

As this diagram shows, with Firefox, an exploit has to get through Firefox and it reaches the operating system. With Chrome or IE, it needs to get through the browser, and then additionally get through the “sandbox” that separates it from the operating system. That means the exploit needs to target two vulnerabilities, not one—not an easy task.

Things like this have made some people say Firefox is the least secure browser.

Should You Not Use Firefox?

should-you-use-firefox

It’s not that simple. Chester Wisniewski, senior security adviser for Sophos, told CSO Online that sandboxes are a useful tool to thwart attacks, but not a requirement to be safe to browse with. Wisniewski himself uses Firefox as his personal browser.

In its latest version, Firefox blocks Flash by default Die Flash Die: The Ongoing History of Tech Companies Trying to Kill Flash Die Flash Die: The Ongoing History of Tech Companies Trying to Kill Flash Flash has been in decline for a long time, but when will it die? Read More , as the add-on has often proven to be the gateway for exploits.

Mozilla should also be commended for the quick action it took. They found out about the exploit on the morning of August 5, and worked quickly to release the critical update the next day itself. As a user, it’s good to know that the company acts fast to fix flaws.

Will You Continue to Use Firefox?

While sandboxing makes the other browsers safer, Mozilla has said it is working on proper sandboxing too. Plus, it has several add-ons to guard your privacy and security Completely Secure: 11 Must-Have Firefox Addons For Security Completely Secure: 11 Must-Have Firefox Addons For Security Think about the browser you're using to view this article right now. Is it safe? Is it secure? You'd be surprised by those answers. Read More .

In the end, using Firefox is a personal choice. Still, after this recent exploit, will you continue to use Firefox? Let us know in the comments.

Image Credits: geralt / Pixabay, Junior Gomes / Freeimages, geralt (2) / Pixabay, geralt (3) / Pixabay, Evan Lorne / Shutterstock.com

  1. sunny strapp
    August 14, 2015 at 12:39 pm

    updated as described and ended up with firefox 40.0.2. Things are moving along quickly.
    I use firefox for somethings but have mainly replaced it with opera.

    • Mihir Patkar
      August 17, 2015 at 2:26 pm

      Oh wow, an FF to Opera convert! I'm intrigued. If you don't mind explaining, what made you switch?

      • sunny strapp
        August 19, 2015 at 11:31 am

        I'm not a complete convert... I guess the biggest reason is I tend to be a non mainline user. Preferred GEM to Windows, way back there, and still haven't forgiven the world for downing GEM. I use Linux Mint. I even decided to try iMac when they first appeared. discovered what the line "think different" meant. What a disaster that was. Back to normal when XP landed. Am hanging in with win7 and not unhappy. I really like the desktop on Opera, and the speed dial. Its easy to use and I find it fast enough for all my needs. When in Linux I do use FF. Not a very biased answer, hmmm?

  2. Steven Douglas
    August 11, 2015 at 5:07 pm

    I use Waterfox with Start Page and Aviator both different but each having it's advantages. To say one only uses a single browser seems a bit like being a one trick pony. How long will it be before some nair-do-wel finds a way around sandboxing, it is incumbent upon you the user as well as the browser/website/etc. to be vigilant as expounded upon by John Philpot Curran... "which condition if he break, servitude is at once the consequence and punishment of his guilt".
    Although MUO does not advocate AdBlocker it is a useful tool along with blocking the referer and deleting cookies at the end of your session every thing you do to be proactive can be of use.

    • Mihir Patkar
      August 11, 2015 at 6:12 pm

      I agree with your basic premise: The onus is upon the user. I wish it wasn't that way, but that's the reality of the situation.

      That said, any browser which takes some pressure of the user is good, right? Sandboxing does that, to a large extent.

      • Steven Douglas
        August 11, 2015 at 7:04 pm

        Yes I am in agreement,I do wish Firefox had sandboxing, and as indicated they are working on it. That they are proactive is a testament to their commitment to be one of the best available browsers. Additionally I would like to thank you and your organization for the heads up as I was unaware of this flaw. Since this is a Patch how does it prevent the intrusion?

        • Mihir Patkar
          August 11, 2015 at 7:09 pm

          You're welcome! The patch basically plugs the hole for the javascript exploit, as far as I can tell. I don't understand the technical details beyond that, unfortunately, sorry :)

  3. Zoran
    August 11, 2015 at 7:23 am

    I will use Firefox, simply cause it is still THE best browser (for me, at least). I don't use sandboxing, even disabled that option in Avast (@ home) and Comodo (@ work).

    Regarding your step 1 --- Start Firefox. (Windows users, enable your Menu Bar by right-clicking on the settings icon) --- there is no reason to enable Menu Bar. You just should click "hamburger" button > ? > About Firefox

    • Mihir Patkar
      August 11, 2015 at 1:00 pm

      Ah I was looking for About Firefox through the Hamburger button and just couldn't find it. Thanks for pointing it out!

  4. James Howde
    August 10, 2015 at 10:14 am

    I think I'll keep on using Firefox because I like it.

    After all if I switch there will probably be another security scare story along soon saying the Chromestore is full of malware, or Edge can be used as a gateway to the demon dimension.

    Thanks for the warning though. It will remind me to be more careful when visiting those dodgy Russian portals - at least for a while anyway.

    • Mihir Patkar
      August 11, 2015 at 6:13 pm

      In soviet russia, adware come to you.

  5. likefun butnot
    August 8, 2015 at 7:15 pm

    I'm more of a Palemoon person these days, but I think Mozilla-derived browsers have the best overall experience and offer better security among desktop browsers thanks in large part to the collection of add-ons made for that purpose.

    Chrome still doesn't have granular javascript permissions or as comprehensive an addon ecosystem and Edge doesn't even have addon support yet. I can't say that there's really even a contest at this point.

    • Mihir Patkar
      August 9, 2015 at 5:09 pm

      Fair enough. You don't think sandboxing is necessary though?

Leave a Reply

Your email address will not be published. Required fields are marked *