LONDON: Mozilla Firefox users are this week being urged to update to the latest version after an exploit was found being used in the wild which allowed the scooping up of files from users’ computers via an ad without leaving a trace behind of the hack.
In a blog post, Mozilla said the ad, found on a Russian news website, was “serving up a Firefox exploit” which allowed code to be run on a user’s computer to search files, which were then uploaded to a server in Ukraine.
The exploit affects Windows and Linux users; Mac users weren’t specifically targeted this time around, but the company warned Mac users “would not be immune” should a hacker decide to target them using the same vulnerability.
And the worst part is, if you’re targeted you’ll have no way of knowing, because the exploit leaves no trace it has been run on your computer.
If you’re like the one million Australians who use ad-blocking software, however, you “may have been protected” from the malicious exploit depending on the type of software you use and the level of filtering, Mozilla has advised.
The vulnerability relates to Firefox’s PDF viewer, so products without a PDF viewer, such as Firefox for Android mobile devices, were not at risk, it said.
Mozilla is urging anyone using Firefox on Windows or Linux to install the latest Firefox — versions 39.0.3 for personal users and Firefox ESR 38.1.1 for enterprise — which include a patch for the vulnerability.
Mozilla has also advised users to change passwords and keys for files potentially affected by the exploit, which seemed to be crafted to steal files on a computer used by software and website developers.
Mike Thompson, a security expert and director of Linus Information Security Solutions, said maintaining patch levels was the most important general measure users could take to reduce their exposure to these kinds of exploits.
However, a “concerning” trend was that hackers are increasingly targeting apps such as web browsers rather than operating systems, which tend to push software updates more actively, he said.
“Operating system patching is generally well structured and often automated, but app patching is far more random,” Mr Thompson said.
“Windows 10 for example is strongly pushing automated patching, but app developers more commonly rely on user initiated processes.”
