Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Firefox Update Today

Published: 2015-08-07
Last Updated: 2015-08-07 15:43:45 UTC
by Tony Carothers (Version: 1)
3 comment(s)

The good folks at Firefox have released their latest version, 39.0.3, in response to vulnerability  CVE-2015-4495, which has been seen in the wild and allows an attacker to read and steal sensitive local files.  The vulnerability takes advantage of the interaction between the JavaScript context separation and the PDF Viewer.  The exploit works by injecting a JavaScript payload into the local file context, which allows it to search and upload local files.  Mozilla products that do not contain the PDF viewer are not vulnerable, as well as Mac systems.


**NOTE**: This exploit has been seen in the wild, and leaves no trace it has run on the local machine.  The exploit description described in greater detail at the Mozilla Security website gives additional details on what files are currently being targeted. As with any updates being deployed into the enterprise, we highly recommend testing updates for impact before deployment, and ensure all configuration and change control requirements are maintained.

tony d0t carothers --gmail

3 comment(s)
Diary Archives