Tags Posts tagged with "Firefox"


by -
0 24

A major vulnerability discovered by Mozilla lurking in an advertisement shown by a Russian news site could steal your files and upload them to a Ukrainian server without you ever knowing.

The flaw exploits Firefox’s PDF viewer and the JavaScript context to inject a script that can search for and upload local files. All you need to do is load the page with the exploit and it’ll silently steal files in the background.

Interestingly, the files it searches for on the local system are mostly developer focused. On Windows, the attack specifically looks for FTP configuration files, subversion, .purple and other account information. On Linux, it looks for global configuration files and user directories.

Mac users aren’t specifically targeted by the attack that was discovered, but wouldn’t be immune if targeted.

The attack doesn’t appear to be widespread right now, having only been spotted on a Russian ad network, but it’s likely only a matter of time until it spreads as more people discover it.

All versions of Firefox are affected and Mozilla says that to protect against the exploit you should update to version 39.0.3 right now. Enterprise users can patch to 38.1.1.


The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

Adobe Flash, the much-loathed, bug-plagued relic of a browser plugin, just got a big nail driven into its coffin.

Mozilla blocked Flash by default in its Firefox browser late Monday night, a day after Facebook’s security chief called for Adobe to kill Flash once and for all.

The Flash-bashing picked up last week after revelations that the spyware giant known as the Hacking Team had been using Flash to remotely take over people’s computers and infect them with malware. (That discovery took place after the hacking team hacked. Documents revealed in the breach showed that the Hacking Team exploited two critical vulnerabilities in Flash’s code.)

“It is time for Adobe to announce the end-of-life date for Flash,” tweeted Facebook security chief Alex Stamos on Sunday.

Mozilla’s support chief Mark Schmidt quickly followed suit by tweeting that all versions of Flash had been turned off in Firefox. That means Firefox users will not be able to turn on the plug-in to access Flash content — they’ll have to seek out another browser if they need to use Flash.

Adobe did not immediately respond to a request for comment.

The good news for Firefox users is that most won’t notice a change. Just under 11% of websites use Flash, according to W3techs, a technology survey company.

Flash is a type of software called “middleware,” an add-on extension to the browser that allows rich content to be viewed. It had been widely used a decade ago, powering most of the Web’s games, animations and videos. When YouTube launched in 2005, its videos were entirely Flash-based, requiring its audience to install the Flash plug-in software in order to watch YouTube media.

It’s been a long time coming, but now the users of Firefox and Opera browsers don’t need to rely on the Chrome browser to access WhatsApp Web client, as the most popular smartphone messaging service has announced that the Web-based version of its service now works on Firefox and Opera web browsers too.

Almost a month ago, WhatsApp launched the web client of its service but the access was limited only to the Google Chrome users. Now, the company is giving more choices to desktop users by launching WhatsApp Web Today for Opera and Firefox browsers, though you’ll still have to wait a little long if you’re a Safari user.

WhatsApp Web is nothing than an extension of the core mobile WhatsApp application. It syncs conversations from your smartphone devices to your PCs, with everything stored on the mobile device itself.

In order to install WhatsApp web in your PC or laptop running Google Chrome, Mozilla Firefox or Opera browsers, you need to follow same steps, as the sign-up process is the same as with Chrome browser:
Interested WhatsApp users simply need to open Chrome and navigate to http://web.whatsapp.com
A QR code will appear on the web page, which must be scanned using WhatsApp mobile application to activate the service.
By scanning the QR code that appears, users will automatically have paired their mobile WhatsApp with the WhatsApp web client, as shown.
For now, WhatsApp Web only works with Android, Windows Phone and BlackBerry devices, but unfortunately, iPhones still don’t have the capability to scan the WhatsApp Web QR code because there’s no web solution at this time for iOS users because of limitations of the platform.

Currently, WhatsApp has 700 million users sending 30 billion messages per day, and is bigger than most of its competitors, including Facebook Messenger, Line and WeChat. Now, this new WhatsApp web client available for a wider range of browsers will definitely increase its market.

Mozilla foundation is reminding everyone how committed it is to the idea of data privacy, and is showing this commitment with a donation to the Tor network. Giving a helping hand to help out the Tor network by donating some of its spare decommissioned hardware, including Juniper EX4200 switches and three HP SL170zG6 systems to Tor.

A blog post from the Mozilla firm states that it is glad to assist and pleased to further the work of the anonymity systems by activating 12 additional relay networks that can be used to ensure up time and spare incidents relating to maintenance or failure.

A spokes person from Mozilla said

“We chose to make use of our spare and decommissioned hardware. The current design is fully redundant. This allows us to complete maintenance or have node failure without impacting 100 percent of traffic…The worst case scenario is a 50 percent loss of capacity. The design also allows us to easily add more servers in the event we need more capacity, with no anticipated impact.”

The move by Mozilla is a part of the Polaris Privacy Initiative that Mozilla launched last year, when the firm said that it was backing user-led privacy control for the internet.

When the Tor talk began, the people from Tor expressed their excitement and Andrew Lewman of the Tor Project. said.

“The Tor Project is excited to join Mozilla as a launch partner in the Polaris programme. We look forward to working together on privacy technology, open standards, and future product collaborations,”

Mozilla launched the middle relay nodes in mid-January as a proof of concept. Tor, of course, is based on Mozilla’s Firefox browser.