Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
Attention, Mozilla Firefox users. You need to fire up your browser on your computer and download the latest version right now. Mozilla has issued a critical update that fixes a security flaw, which could let hackers steal files from your hard drive.
What You Need to Do
- Start Firefox. (Windows users, enable your Menu Bar by right-clicking on the settings icon)
- In menu, go to Help > About Firefox or File > About Firefox, depending on your OS
- Firefox will automatically start checking for the update and install it
- Click Restart Firefox to Update
- Go back to About Firefox and check that you are running v39.0.3
If that doesn’t work for whatever reason, then download the latest Firefox version for your operating system and install it.
What Else You Need to Do
Alarmingly, Firefox said that the exploit does not leave any traces on the machine, so if your computer was affected, there is no way to know. Accordingly, Mozilla advises changing your passwords and keys for programs and files associated with the following:
On Windows: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients
On Linux: global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts
Like with most hacks and exploits, we advise changing all your passwords locally and for online services. This is yet another good reason to install a program like DashLane, which automatically changes passwords across services.
Why This Is Urgent
“All Firefox users are urged to update to Firefox 39.0.3,” the company wrote on their blog.
According to Firefox, the exploit in question allows someone to “violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim’s computer.”
Who Might Be Safe
There is no guarantee that anyone is safe, but based on Firefox’s disclosures, a few types of users may not be affected. Still, as a precautionary measure, we recommend you enact the aforementioned steps.
Mac Users: Mozilla noted that it had not found any evidence that Mac users were targeted by this exploit, but the vulnerability existed nonetheless.
Ad-Block Users: We don’t recommend using ad-blockers, but in this case, it might have saved some users from the exploit, since it was being served through ads.
Other Browser Users: If you aren’t using Firefox, then don’t worry. You’re safe. Carry on.
Why Are Other Browsers Safe?
Look, no browser is completely safe and such exploits continue to happen. That said, this particular exploit would not have been possible on Google Chrome or the new Microsoft Edge because of a simple reason: full security sandboxing.
While it uses basic sandboxing, Firefox does not fully isolate itself from the operating system. As The How-To Geek explains, Chrome, IE, Edge and others run browser processes with as few user permissions as possible. Think of it as concentric circles:
As this diagram shows, with Firefox, an exploit has to get through Firefox and it reaches the operating system. With Chrome or IE, it needs to get through the browser, and then additionally get through the “sandbox” that separates it from the operating system. That means the exploit needs to target two vulnerabilities, not one—not an easy task.
Things like this have made some people say Firefox is the least secure browser.
Should You Not Use Firefox?
It’s not that simple. Chester Wisniewski, senior security adviser for Sophos, told CSO Online that sandboxes are a useful tool to thwart attacks, but not a requirement to be safe to browse with. Wisniewski himself uses Firefox as his personal browser.
In its latest version, Firefox blocks Flash by default, as the add-on has often proven to be the gateway for exploits.
Mozilla should also be commended for the quick action it took. They found out about the exploit on the morning of August 5, and worked quickly to release the critical update the next day itself. As a user, it’s good to know that the company acts fast to fix flaws.
Will You Continue to Use Firefox?
While sandboxing makes the other browsers safer, Mozilla has said it is working on proper sandboxing too. Plus, it has several add-ons to guard your privacy and security.
In the end, using Firefox is a personal choice. Still, after this recent exploit, will you continue to use Firefox? Let us know in the comments.