Friday, August 7, 2015

CRITICAL Firefox Exploit In The Wild!
Update to v39.0.3, ESR v38.1.1 or
Firefox OS v2.2 NOW
PLUS a list of ongoing Apple security flaws


[UPDATE: 2015-08-11. Today Mozilla released Firefox v40.0, available HERE.]

[Firefox ESR is the Extended Support Release version, typically used by large organizations who need its special update features and reliability.]

Uh Oh! Firefox is being exploited in the wild, allowing a malicious/hacked website to abuse JavaScript along side Firefox's PDF viewer to search for and steal files from the user's computer. At the moment, Macs are not yet known to be targets, but are just as vulnerable. You can read about the exploit at Mozilla's website HERE.

Further details about the exploit are available from the Mozilla Security Blog.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

Update to Firefox v39.0.3 (or higher) for regular users. Enterprise Firefox users can update to ESR v38.1.1 (or higher). Firefox OS users can update to v2.2.

~ ~ ~ ~ ~

Meanwhile, in the wings, off stage, coming up: We're waiting for Apple to release fixes for a few more security flaws. 

One of them is also being exploited in the wild as a method of infecting Macs with adware and crapware. It is generically called the DYLD_PRINT_TO_FILE exploit. 

Another pair of security flaws are called 'Thunderstrike' and 'Thunderstrike 2' rootkits. They involve infecting Mac EFI firmware with malware. Apple has been progressively patching these two problems since 10.10.2, but has not yet entirely blocked them.

The last of the currently prominent security flaws allows hacking the Keychain on both OS X and iOS to steal user passwords. This flaw further implicates problems in Apple's app sandbox system and their security vetting of iOS apps for the iOS App Store. Apple has known about this set of flaws since October 2014 and has so far neglected to patch them. 

It is assumed at this time that Apple will patch this group of security flaws in OS X 10.10.5 Yosemite. So keep an eye out for it in the very near future. If you find it annoying and dangerous that Apple has been sitting on these OS X and iOS security flaws for a considerable amount of time, you're not alone!

No comments:

Post a Comment