Mozilla has issued a blog post and a security advisory that you need to know about.
On the 5th of August, a Firefox user informed Mozilla that ‘an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.’
Naturally, Mozilla has urged its users to update to Firefox 39.0.3, Firefox OS 2.2 (on Firefox phones) and Firefox ESR 38.1.1, which fixes the vulnerability.
Mozilla’s blog post explains that ‘the vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer.’
In case you’re wondering, Mozilla explains that its ‘products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable.’
On Mac OS X, start Firefox, click on the bold word Firefox next to the Apple symbol at the top left hand corner, and click on 'About Firefox'. This will check for udpates and will show you the current version number. If any updates are available, they will commence downloading, after which you will be prompted to restart Firefox to complete the update.
Firefox should be automatically set to install security updates, but if you have older versions there's no guarantee you have this setting on.
On Windows, start Firefox. If you have a dropdown Firefox menu at the top left hand corner of the Firefox browser window, you definitely have an older version.
If you see this version, select Help and then click on 'About Firefox.'
If you have a newer version, you won't see the dropdown Firefox menu on the left, but you will see the three line 'hamburger menu' on the end right hand side on the icons to the right of the address bar and the search box.
To immediately and manually check for updates, click on the three line hamburger menu icon again, and then at the bottom of the menu, click on the 'question mark' symbol.
This brings up the help menu options, at the bottom of which is 'About Firefox'. Do this and the same checking for updates sequence will occur as with Mac OS X, showing you the version number and downloading any updates that are available, after which you will be prompted to 'Restart to Update'.
On the PC and Mac versions of Firefox, you can also click the three line hamburger icon and you'll see menu pop-up. At the bottom is 'options', which loads the preferences/options page in 'General'. On the left hand side of the screen, you'll see a list of settings headings.
The last one is called 'Advanced', which when clicked on gives you opens the advanced settings, which includes an 'updates' heading. Click it and you should see that 'Automatically install updates (recommended: improved security)' is selected and that 'Warn me if this will disable any of my add-ons' is ticked.
This should keep you updated automatically but if you haven't been using Firefox for a while it's a good idea to do a manual check just to be sure.
|
|
Mozilla advises that ‘the exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.’
For additional technical details, please visit the blog post and the security advisory.
