Mozilla 5.0 Exploit

[Azucena Jewels]

TheExploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

input type date is one of the first thing that I hated about Firefox when I started to develop web pages, cause I was too noob for include a jquery date picker. Now I hate that firefox does not have a Toggle Device Mode like Chrome. But it render my web site more faster than chrome.

I tend to believe, with the vast amount of knowledge and tools available to developers in this day and time, these type incidents should never happen, but that would probably only be true in a perfect world.

Thank you! Their hypocrisy on this matter is astonishing. The disabling of Flash was nothing more than a PR stunt to try and move more people to the turtle-speed HTML5 that has less than half the necessary features by specification and much fewer in implementation.

The Tor Browser actually allows all sites by default to run scripts, even though it does bundle NoScript; you have to deliberately go back to default-deny, which is what NoScript does on ordinary builds of Firefox.

The exploit requires the PDF Viewer built into Firefox to trigger the vulnerability. If you have disabled PDFs or are using an external program to view them then this would not affect you. You would, of course, have to worry about potential security vulnerabilities in whatever program you were using so make sure you keep that updated!

The only other code we know of that might (might!) combine with the underlying flaw in a vulnerable way is Shumway, which is 1) not shipped by default, 2) currently has the feature in question disabled, 3) the functionality may not be reachable from content in a way that could be exploited, and 4) certainly would not be affected by this exploit which quite explicitly triggers the PDF Viewer. In any case, since we fixed the underlying vulnerability in 39.0.3 anyone testing a pre-release version of Shumway no longer has to worry about even the remote possibility.

However, one consideration is that pdf.js is heavily integrated into Firefox itself and can be triggered with as little as one click. With downloading to disk and viewing from there with a seperate program, one is purposefully verifying that that is the PDF that they want to view and not trusting a browser integration that increases attack surface. Up until that point the PDF is just a binary blob.

Mozilla may be able to maintain pdf.js, but is Mozilla maintaining a limited attack surface so users are protected? Part of security is being proactive and restricting the manner exploits may proliferate, not just updates, updates, updates.

We receive since a couple of days an increasing amount of on-the-fly encrypted javascript trojan variants via spam mail, mostly originating from ukraine. Maybe the same. Is Thunderbird affected as well?

Any idea how long this vulnerability has been in the pdf viewer? Are there known addresses that have been receiving the exploit uploads? That would allow inspecting firewall logs to see if any data has been exfiltrated.

That is actually a solution, force everything in mozilla firefox to be done in specified working directories including a specified temp & cache directory, unless permission is granted to do otherwise. A permission based system can be overlayed on that, saying that only a particular thread/process is allowed to access each folder.

Firefox really needs some hardening. I remember when the Firefox PDF viewer was introduced one of the benefits was supposed to be security. I am disappointed that all that seems have done is add a new exploit vector.

This issue is a yawn for anyone running NoScript. The mal-advertisement site JS would not have run at any time, past present or future. All such malware loads from garbage throw-away domains which could not possibly have appeared in the NoScript white-list.

It looks like we have to get the people like firefox, opera, google chrome, and any other software used for surfing the inter net to stop all this bs with people being allowed to use java and or any other kind of program. having access to and or changing browser on peoples computers. and also stop them from taking data just to use for their sales, and or selling to third parties.

It really is getting bad when any and or all the browser are now able to hijack your computer, and or let third parties have the abilities to do so when they should have always an option to lock them out and not take part and know exactly what is being installed on anyones computer.

why does firefox has a pdf viewer? that is just bloat and, also, completely nonsense. if one wants to see a pdf document, one downloads it and opens it with some pdf reader. a browser is a browser.

instead of useless buggy pdf readers, firefox should support, for example, the mng file format. also, bring back the feed icon on the address bar.

It maintains a PDF reader (much like Chrome and Edge bundle their own PDF plugins, except Firefox uses JS rather than a plugin) because people expect to be able to read PDF files in their browsers; this expectation has been there for two decades, ever since someone at Adobe figured out how to hack Netscape to load Adobe Reader, and then Netscape liked the idea and formalized it as NPAPI.

Did you want to say, Firefox includes but does not maintains a built-in PDF reader? That is the reason why hackers targeted it. It still has other issues like slowness or even inability to read large PDF files (compare to Chrome PDF reader), very slow search feature. Basically Firefox PDF reader is useless and annoying if left by default accidently.

For Windows you have firewall applications (e.g. Kaspersky internet suite) which also monitor disk access behaviour and based on this you can allow or disallow the access. There is a tool such as sandboxie; which got good reviews -172.htm

Or maybe you belive every potential user of your browser codebase should reissue all its authentication data every day of its usage just because some idiot decide to embed the crappiest PDF viewer in the world?

download-installer.cdn.mozilla.net uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.

(Error code: sec_error_unknown_issuer)

What browser are you using? Have you disabled any built in root certificates? Are you under a Man-in-the-Middle attack replacing the certificate? From here the site has a perfectly valid cert issued by DigiCert that should be accepted in all current browsers by default.

I've never had or seen anything like this before. At first I thought I'd gotten a fake firefox update, but I didn't. I've been scanning the heck out of my PC and it seems to be virus free, but Firefox is getting shutdown by MB constantly, even on basic sites like google.com.

CHROME IS WORKING O.K. - SO I AM USING CHROME FOR NOW. But I use FIREFOX EXCLUSIVELY - BECAUSE I LIKE THE SECURITY PLUG-INS FOR NORTON, ETC. PDF MAKER, ETC. THIS IS NOT GOOD - I LIKE MALWAREBYTES I WANT TO KEEP IT, BUT I SHOULD NOT GET ANY FALSE POSITIVES IF THERE ISN"T REALLY ANY VULNERABILITIES OR EXPLOITS. Maybe there is something new with FIREFOX 58.1, I believe MALWAREBYTES Development should get with FIREFOX Development team to figure out what is causing it.

Hey Donna, I'm guessing this is an issue with the new Firefox update and all the major changes MB has recently made to their "web protection", sadly you and I may be the canaries in the mine - so we got it first! :-)

It can either be when Mozilla built the next release of Firefox 58.0.1 a real vulnerability was built into it and that build has the exploit or Malwarebytes is detecting an false positive in Firefox 58 add-on configuration page. Because I disabled all of the add-ons I had still got the exploit warning. I have now been using Firefox 57 now with all add-ons enabled and Malwarebytes is not detecting any exploits. Plus Firefox new version has a new install now called Firefox Quantum v58.0.1.

3a8082e126