[arch-security] [ASA-201508-1] firefox: local file stealing via PDF reader

Remi Gacogne rgacogne at archlinux.org
Fri Aug 7 08:37:38 UTC 2015 

Arch Linux Security Advisory ASA-201508-1
=========================================

Severity: Critical
Date    : 2015-08-07
CVE-ID  : CVE-2015-4495
Package : firefox
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 39.0.3-1 is vulnerable to local file
stealing.

Resolution
==========

Upgrade to 39.0.3-1.

# pacman -Syu "firefox>=39.0.3-1"

The problem has been fixed upstream in version 39.0.3.

Workaround
==========

This issue can be mitigated by disabling the built-in PDF viewer, PDF.js.

This can be done by typing about:config in the address bar, pressing
Enter, looking for the pdfjs.disabled value and setting it to True by
right-clicking on the line and left-clicking "Toggle". Note that
accessing the about:config page might trigger a "This might void your
warranty!" warning, easily dismissed by clicking on the "I'll be
careful, I promise!" button.

Description
===========

Security researcher Cody Crews reported on a way to violate the same
origin policy and inject script into a non-privileged part of the
built-in PDF Viewer. This would allow an attacker to read and steal
sensitive local files on the victim's computer.

Mozilla has received reports that an exploit based on this vulnerability
has been found in the wild.

Impact
======

A remote attacker can craft a malicious web page stealing arbitrary
files from the host running firefox.
Mozilla reports that this flaw is already exploited in the wild. At
least one exploit is targeting Linux and reads /etc/passwd, then in all
the user directories it can access looks for .bash_history,
.mysql_history, .pgsql_history, .ssh configuration files and keys,
configuration files for remina, Filezilla, and Psi+, text files with
“pass” and “access” in the names, and any shell scripts.

References
==========

https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://access.redhat.com/security/cve/CVE-2015-4495
https://access.redhat.com/articles/1563163

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150807/4457e432/attachment.asc>

More information about the arch-security mailing list