Vulnerability in Mozilla Firefox Could Allow for Privilege Escalation

ITS Advisory Number: 
2015-090
Date(s) Issued: 
Monday, August 10, 2015
Subject: 
Vulnerability in Mozilla Firefox Could Allow for Privilege Escalation
Overview: 

A vulnerability has been identified in Mozilla Firefox which could allow for Privilege Escalation. Mozilla Firefox is a web browser used to access the Internet. Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of this vulnerability may result in an attacker being able to read and steal sensitive local files on the victim's computer.

Systems Affected: 
  • Mozilla Firefox versions prior to 39.0.3
  • Firefox ESR versions prior to 38.1.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A vulnerability has been discovered in Mozilla Firefox's built-in PDF viewer that may allow an attacker to view and steal sensitive files on a victim's computer. This exploit occurs by injecting a JavaScript payload into the local file context, which allows the script to search for and upload potentially sensitive local files of the user. This vulnerability can be exploited in the background when a user visits a specially crafted webpage with the exploit code embedded. The exploit specifically looks for FTP configuration files, subversion, s3browser, Filezilla, libpurple and other account information on a Windows system and Global configuration files and user directories on a Linux system.

Note:  Mac users are not susceptible to the currently available exploit code, however the underlying vulnerability still exists within Mozilla Firefox for Macs and could be exploited by an attacker by creating a different payload.  

Actions: 
  • After appropriate testing, apply updates provided by Mozilla Firefox to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.