This week, Mozilla was notified by a user that a Firefox vulnerability in the browser's PDF reading functionality, which converts PDF files into Javascript documents, was being actively exploited in Russia. Mozilla is now urging all Firefox users to upgrade to Firefox 39.0.3 or Firefox ESR 38.1.1.
The malware that took advantage of the bug in Firefox's Javascript-based PDF reader was being deployed through ads that appeared on a Russian news site. The malware would search for sensitive files on people's PCs and then upload them to a server in Ukraine.
As the vulnerability only affects Firefox's PDF.js reader, that means only the desktop version of Firefox is affected by it, but not the Android version. According to Mozilla, the vulnerability doesn't enable the execution of arbitrary code, but the exploit was able to inject a Javascript payload into the local file context that allowed it to search for local files.
The somewhat good news here is that the exploit seems to have targeted mainly developers, despite being deployed on a major Russian news site. For instance, on Windows it looked for the configuration files of various FTP clients, including Filezilla. On Linux, it targeted configuration files such as /etc/passwd, .bash_history, .mysql_history, .pgsql_history, and .ssh. Mac users were not targeted by this exploit, but they would not be immune to a different payload utilizing the same Firefox vulnerability.
The exploit leaves no trace that it has been run on a user's local machine, making it difficult to detect. Mozilla recommended users to change all the passwords and keys for the mentioned files and programs. The company also said that users of adblock programs may have been protected, depending on their enabled ad-blocking filters.
Follow us @tomshardware, on Facebook and on Google+.
