Major Vulnerability Found In Firefox, Latest Browser Version Fixes It

11 respostas [Última entrada]
anonymous

http://www.tomshardware.com/news/firefox-security-vulnerability-upgrade-patch,29783.html

"This week, Mozilla was notified by a user that a Firefox vulnerability in the browser's PDF reading functionality, which converts PDF files into Javascript documents, was being actively exploited in Russia. Mozilla is now urging all Firefox users to upgrade to Firefox 39.0.3 or Firefox ESR 38.1.1.

The malware that took advantage of the bug in Firefox's Javascript-based PDF reader was being deployed through ads that appeared on a Russian news site. The malware would search for sensitive files on people's PCs and then upload them to a server in Ukraine. "

What about Icecat?

davidnotcoulthard (non verificado)

Or Abrowser, for that matter?

a_slacker_here
Desconectado
Joined: 06/29/2013

Mmmm. It's good thing that I have the habit of not using javascript and downloading the documents instead of viewing them on the browser.

leny2010

I am a member!

I am a translator!

Desconectado
Joined: 09/15/2011

The latest Abrowser from the repo is at the right level. Icecat - not yet, I'll give quidam a nudge as he said he was planning to give Icecat some extra love about a fortnight ago.

lap4fsf
Desconectado
Joined: 10/12/2014

The latest Abrowser from the repo is at the right level

Hi leni2010,

Abrowser 39.0.3 closes unexpectedly for 32 bit systems. A few forum members too have raised their concerns. Can you communicate this to Ruben or aklis?

Thank you in advance.

Legimet
Desconectado
Joined: 12/10/2013

Try this as a temporary solution:

$ sudo add-apt-repository ppa:legimet/abrowser-kde
$ sudo apt-get update
$ sudo apt-get install abrowser

lap4fsf
Desconectado
Joined: 10/12/2014

Hi Legimet,

I followed your commands.
works now....!!

I shall keep this till an official fix is made available to the public.

Legimet
Desconectado
Joined: 12/10/2013

Yes, they are working on it.

gnulux
Desconectado
Joined: 06/17/2015

The Tom's hardware article is rubbish (sorry for being rude):

Quote 1: The malware that took advantage of the bug in Firefox's Javascript-based PDF reader was being deployed through ads that appeared on a Russian news site.

This is partly incorrect: it was no ad at all, so your adblocker couldn't catch it.

Quote 2:The somewhat good news here is that the exploit seems to have targeted mainly **developers**,(…) On Linux, it targeted configuration files such as /etc/passwd, .bash_history, .mysql_history, .pgsql_history, and .ssh.

Who hasn't got a .bash_history file a /etc/passwd file an .ssh folder??? I'm glad to learn I'm a (mainly) developer, great news, very flattering.

A better source of information isn't even mozilla.org, their blog post being rather terse, https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

but these pages:

https://news.ycombinator.com/item?id=10021894

https://news.ycombinator.com/item?id=10021865

Some hope for NoScript and uBlock Origin users:
https://news.ycombinator.com/item?id=10022096

Yet, we don't know how long this exploit has been going on. Mozilla advises us to revoke all our keys and change all our passwords. If you use KeepassX, well, that'll keep you busy for a while. Or can we hope the master password hasn't been retrieved as well? I can't find info where and in what form it is kept, however.

onpon4
Desconectado
Joined: 05/30/2012

The master password of a KeePass database isn't "kept" anywhere, it's a key to decrypt the database. So if all an attack did was facilitate reading files on your disk, a KeePass database with a good password would be fine.

I'm pretty sure the master password of the browser's password manager works as an encryption key, too, so any such saved passwords should also be safe if you use a master password there.

Legimet
Desconectado
Joined: 12/10/2013

There's also KWallet, which can use GPG for encryption, but support for this is disabled upstream (in Ubuntu). I build my own packages so that KWallet has the option, and use the Firefox KWallet extension.

gnulux
Desconectado
Joined: 06/17/2015

Many thanks for your answers.

Are you taking any steps, apart from upgrading, like revoking your keys, etc.?

Ah, an interesting article: http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/