A critical new vulnerability in the Firefox web browser could allow attackers to gain access to files stored on a targeted computer. The vulnerability (CVE-2015-4495) occurs in the browser’s built-in PDF viewer and is currently being exploited in the wild. Mozilla has already released a patch and Firefox users are advised to update their browsers immediately.
The vulnerability was discovered by security researcher Cody Crews who reported it to Mozilla on August 5. Successfully exploiting the vulnerability could allow an attacker to read and download files stored on the victim’s computer by injecting script into a non-privileged part of the built-in PDF Viewer.
Mozilla said that the vulnerability is already being exploited in the wild and was aware of one news site in Russia where an advertisement was serving an exploit of the vulnerability. This allowed attackers to search for sensitive files on affected computers and upload them to a server in Ukraine. As news of the vulnerability spreads, it is likely that other attack groups will move quickly to exploit it.
Because the vulnerability permits the theft of private data and the fact that it is already being exploited in the wild, Symantec is advising all Firefox users to update to the latest version (39.0.3) immediately.
Symantec is continuing to monitor the situation and further updates will be provided if necessary.