back to article Update Firefox NOW to foil FILE-STEALING vulnerability exploit, warns Mozilla

Firefox users have been urged to update to browser version 39.0.3, following the discovery of a vuln that allows an attacker to read and steal sensitive local files on the victim's computer via the browser's PDF reader. The Firefox exploit, discovered by security researcher Cody Crews, allows an attacker to violate the same …

  1. Anonymous Coward
    Anonymous Coward

    Just use an external PDF reader and not the shite JS one, Okular does nicely.

    1. Anonymous Coward
      Anonymous Coward

      Of course, that's until they package multiple exploits in the same PDF so it can attack you no matter which PDF viewer you try.

      1. BillG
        Holmes

        Note to Mozilla

        Note to Mozilla:

        Please design from the start with security that is hand in hand with the application code, instead of designing the application code first then patching security later. This is how us experienced hardware guys do it.

        This way you don't have to push out browser updates that are emergency security updates of the previous version. Thank you.

  2. thames

    Update Done

    I'm using Ubuntu and the update notice popped up in the left hand launcher bar just before this story came up in my RSS news feed after I turned my computer on. Two clicks later and I was brought up to the latest version while I was skimming through and marking out other news stories to read. Utterly painless.

    This is one of the nice things about using a mainstream Linux distro. All updates come in ASAP, not a month later, and they go through one easy to an use update interface which handles the item affected plus any third party dependencies as well.

    Linux distros have done this right, and it's something that Microsoft and Apple really need to copy. If they did, then more people would keep their software updated properly, and we wouldn't have the horrific update system in Windows with 57 different third party custom updaters running in the toolbar all fighting with each other and flinging annoying pop ups at you every 5 minutes.

    As for this specific vulnerability, it sounds like someone is trying to mass-harvest developer passwords to various developer oriented accounts and servers.

    1. Anonymous Coward
      WTF?

      Re: Update Done

      "Linux distros have done this right, and it's something that Microsoft and Apple really need to copy."

      You're mixing applications with Kernals / OS'

      My FF is up to date with 0 clicks on a windows box.

      1. Roo
        Windows

        Re: Update Done

        "You're mixing applications with Kernals / OS'"

        He specifically said "Linux distros", so no he is not mixing apps with kernels/os.

        "My FF is up to date with 0 clicks on a windows box."

        Glad that works for you ... On the other hand some folks prefer to be asked if an update should be applied first. It's not as if broken updates are rare in this day and age...

      2. Anonymous Coward
        Anonymous Coward

        Re: Update Done

        "You're mixing applications with Kernals / OS'"

        Since I suspect you may be unaware, Linux has a single package manager (varies depending on distro, but mostly it's YUM/DNF for RPM based distros and APT for DEB based).

        This single package manager is responsible for updating, as you said, the kernel, but also *every* application which is installed using it. This means you can update your entire OS and *all* applications with one command/click.

        It is this Windows needs to emulate, although I suspect they're most of the way there with the Windows Store, they just need users to be installing applications from the store rather than random sites/discs for it to apply. That'll be their challenge.

        It is the "every application has it's own updater" which is ugly and has a negative impact on users updating. I don't want 15 update applications (Adobe, Chrome, Firefox, Java, LibreOffice etc. etc.) sat checking for updates all the time, so commonly disable said updaters.

        1. thames

          Re: Update Done

          @AC - "This means you can update your entire OS and *all* applications with one command/click."

          Exactly. There's one updater, it runs on a schedule I can set, I decide where it gets its updates from, it batches up different updates together so I can run them all at once, and I can set different schedules for checking for security and routine updates if I wish, or even turn off everything except security updates. I can even turn off new OS version upgrades (something else Microsoft seems to need to learn).

          I can even set up my own repos on my own network, and just point the updater on each PC at that. This supposedly super-enterprise feature is the bog standard method which Linux distros have been using for decades.

          @AC - "I suspect they're most of the way there with the Windows Store, they just need users to be installing applications from the store rather than random sites/discs for it to apply. "

          With Ubuntu (and most Linux distros no doubt), the same updater will also work with third party repos. I'm not limited to just the Ubuntu repos ("app store"). All I need to do is to add the third party repos to the list. There's nothing special about the distro's own repos in that sense.

          So I think that Microsoft needs to not just update from their own "app store", they also need to let users add third parties such as Mozilla, Adobe, or whomever, and get updates from those third party servers as well. Linux distros have been doing this for years, and there's no need for Microsoft to have a monopoly on this service. Indeed making Microsoft store apps the only source would simply take us right back to the same problem, since everyone else would be forced to run their own updaters to avoid giving Microsoft a cut of their revenues.

          For Microsoft, substitute Apple if you're using one of their brand of PCs. It's the same problem in either case.

          1. Vector

            Re: Update Done

            "With Ubuntu (and most Linux distros no doubt), the same updater will also work with third party repos"

            Yeah, and it'll really suck if anyone ever poisons one of those third party repos which, at the moment, would be far more likely in a Microsoft implementation than Linux due to the installed base and the (lack of) sophistication of the users.

            1. Charles 9

              Re: Update Done

              Or simply finds a way to attack the package manager itself. Sounds a lot like single point of failure to me.

              1. Anonymous Coward
                Anonymous Coward

                Re: Update Done

                "Sounds a lot like single point of failure to me."

                Oh no! What I want is dozens of separate sloppily written update apps all requiring admin powers and constantly peering all over the interwebs, each using whatever protocol and half-baked authentication strategy that happened to spring to "mind". Every one of them oblivious to whether "home" had gone rogue or been bought/subverted by the mob/NSA or whatever...

                Yes! That's what I want. Multiple "redundant" points of failure. If one doesn't fail there's still a gazillion others to do so. Marvellous. If only there was a "system" that "worked" like that.

            2. thames

              Re: Update Done

              @Vector - "Yeah, and it'll really suck if anyone ever poisons one of those third party repos"

              Well they can do that right now, can't they? The existing proprietary custom updaters would pull the poisoned application updates down just as well as a hypothetical Microsoft updater would. The suggestion has nothing to do with solving the existing security problems of the vendor's servers. It's simply about simplifying the software running on the client and making it easier to use. If the client software is less painful to use, more people will keep their software security patches up to date.

            3. This post has been deleted by its author

    2. handle

      Re: Update Done

      @thames - in theory your update is done. In practice the updater installed a new Firefox last night, but nothing has asked me to re-start - the process has been running since 4th August (when the Ubuntu desktop last pulled its "I'll kill all the applications when coming out of suspend" trick). Not helped by Firefox telling me its version is "39.0" as mentioned elsewhere.

      Update: after restarting it now says "39.0.3". Hindsight is a wonderful thing...

      Oh, and is there any way to restart Firefox without it forgetting all its tabs, apart from "killall firefox" or other unorthodox ways of terminating the application?

      1. thames

        Re: Update Done

        @handle - "Oh, and is there any way to restart Firefox without it forgetting all its tabs, apart from "killall firefox" or other unorthodox ways of terminating the application?"

        Just quit normally (e.g. ctrl-Q), and then when you restart it select History ==> Restore Previous Session. It will open up all the previous tabs and windows and start you off in the same place as before you quit. It doesn't render each tab until you switch to it to avoid the "thundering herd" problem, and if you were logged in to a web site you might have to log in again, but other than that there's no difference from where you were before.

        If you just want a few specific selected tabs re-opened, look in the History ==:> Recently Closed Tabs menu, where it keeps a handful of your more recent tabs and will restore any (or all) of those if you select them.

      2. brucec

        Re: Update Done

        "Oh, and is there any way to restart Firefox without it forgetting all its tabs, apart from "killall firefox" or other unorthodox ways of terminating the application?"

        Type about:config into the address bar, search for browser.showQuitWarning and set it to true . Now, when you quit you'll be given the option of saving tabs before quitting. This used to be the default behavior years ago.

      3. Fibbles

        Re: Update Done

        Oh, and is there any way to restart Firefox without it forgetting all its tabs, apart from "killall firefox" or other unorthodox ways of terminating the application?

        Strange, for me the package manager downloaded the update and installed it. Firefox then popped up a message box saying a new version had been installed and to click here to restart the application. I clicked it and Firefox closed and reopened with all the same tabs as before...

        1. handle

          Re: Update Done

          Thanks for the tips guys. Fibbles: yes, that's exactly what Firefox used to do, but didn't do it this time. It was probably preoccupied warning me about Flash. :)

  3. Gordan

    Sandboxing

    It is past time that the standard security model on all operating systems is redesigned along the lines similar to Android, where every application runs inside it's own sandbox.

    User logs in as "username", and for each application on the system, for each user, an account is created, for example "username_firefox". Firefox then runs as it would if you execute it with "sudo -u username_firefox firefox", and if it is compromised, the only files available to the attacker are the ones available to account "username_firefox", not the parent account "username".

    I switched to this model a while back when the Steam bug surfaced that deleted all files on the system the invoking user had permissions to delete.

    This isn't even all that inconvenient, since you can simply make the "username_firefox" home directory sticky group owned by group "username" with write permissions, so the parent user can still go and access all the downloaded files and suchlike under the sandbox account.

    What I keep wondering is why something like this hasn't been made to be default on any Linux distributions (other than Android, if you want to consider that a Linux distribution) already.

    1. Mage Silver badge

      Re: Sandboxing

      Licensed Android, aka Google Spyware isn't a good example. Serious Privacy fail with it.

      Browsers ought to be 100% sandboxed.

      1. Destroy All Monsters Silver badge
        Holmes

        Re: Sandboxing

        Browsers ought to be 100% sandboxed.

        Someone downvoted this?

        Some people really need to be "marched to the door of the oven", to inappropriately cite Huckabee the Huckster.

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: Sandboxing

      Sandboxing has done sod all for security these days. Java has a sandbox, too, and what happens? Sandbox bypass exploits get developed. Same for Android and any other sandbox system out there. Due to the need to interact with the system, the whole sandbox idea is about as flimsy as tissue paper.

      1. Gordan

        Re: Sandboxing

        Security has layers. Sandboxing means that the attacker has to have two exploits available to them - one to breach the application itself, and another to escape the sandbox. While this is not guaranteed to thwart the attack, it makes it more difficult and less likely to succeed.

    4. Anonymous Coward
      Anonymous Coward

      Re: Sandboxing

      "It is past time that the standard security model on all operating systems is redesigned along the lines similar to Android..."

      You mean the OS that's just seen two hypercritical vulnerabilities, that don't even require user intervention to launch, in as many weeks?

      1. Anonymous Coward
        Anonymous Coward

        Re: Sandboxing

        Hypercritical? I thought these were ultra-hyper-super-critical? I really hate the use of hyper/super/ultra on top of something already established (critical). It can never end as there's always something worse (or better depending on context).

        It's like the N1 being called a "superphone", its only been a few years and now there's nothing super about it. But to make a point that the current phones are better, they must sound better, enter hyper, then in another 5 years? etc. etc.

        Fine re-establish the boundaries for current categories, no need to start hyper-superifying everything.

    5. thames

      Re: Sandboxing

      @Gordon - The sandboxing you describe is the direction that Ubuntu seems to be heading in as a by product of their mobile efforts. It's not really for security purposes though, it's for user privacy and control of user data. It is intended to allow people to download things like proprietary games from an "app store" without giving those apps access to all of a user's system.

      However, that model won't apply to everything. The normal "standard" stuff from Ubuntu's repos will still be installed and run the traditional way. It's mainly to limit the damage that can be done by a malicious or incompetent third party proprietary software.

  4. Mage Silver badge
    Facepalm

    View PDF

    PDF and other NON Web content (Active X is worst) has always been stupid in a Browser. Always been better to disable such, no matter if built in or 3rd party plugin.

    1) Only download.

    2) Only from a sensible source and only stuff you really want

    3) Check anything downloaded

    4) Never click/double click/ open /run random stuff to see what it is/does.

    1. Captain Scarlet Silver badge

      Re: View PDF

      I always force my browser to download PDF's and then open, simply because I get furious when said plugin then decides to crash and take the browser tab with it.

      1. Wensleydale Cheese
        Happy

        Re: View PDF

        "I always force my browser to download PDF's and then open, simply because I get furious when said plugin then decides to crash and take the browser tab with it."

        I use the download route because I prefer to use an external PDF viewer.

        If you are doing research on a subject which involves lots of PDFs it's a lot saner than viewing them in a browser.

  5. present_arms

    Update

    The update was already in the repo when I awoke, kodos to those that do it so fast.

  6. DanceMan

    Pale Moon

    Pale Moon users like me need to beware, because updating to fix issues like this will lag behind FF. Alas.

    1. wdmot

      Re: Pale Moon

      So in the meantime don't allow pdf.js. Or don't view PDFs in the browser.

    2. BlartVersenwaldIII

      Re: Pale Moon

      Doesn't PM disable pdf.js by default? pdfjs.disabled == true on my installs at least... always preferred SumatraPDF myself.

  7. Anonymous Coward
    Anonymous Coward

    I'm currently watching Dr Who The Pirate Planet written by the late legend Douglas Adams. Here's his take on security.

    The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.

    He was way ahead of all of us.

  8. handle

    Very useful...

    ...that Firefox tells me in Help -> About that it's version "39.0".

  9. Anonymous Coward
    Anonymous Coward

    The fox

    Good

  10. phil dude
    Coat

    new firefox, auto update...

    I installed 40.0b9 and the browser automatically updated itself, before launching.

    I suspect that this will become common to many browsers, and hopefully raise the bar for exploits.

    Looking at the roadmap, we don't get per-process tabs for another 3 versions...

    P.

  11. keepitsimpleengineer

    39.0.3 Struggling on my Linux system... .. .

    This version has real problems for me. Slow, quirky and often unresponsive, very different from earlier versions...

    1. Robert Carnegie Silver badge

      Now they've released 40.0

      You can try that, but it won't necessarily improve your experience.

      There also was a reference to Firefox 38 "Long Term Support", which may work as an update where 39 and 40 aren't available? Maybe with some do-it-yourself-ing?

  12. Destroy All Monsters Silver badge
    Gimp

    Fedora 20?

    Argghhhh... no updates.

    Stuck at 38.0.5.

    meanwhile let's just disable it...

  13. Phil Koenig

    Linux updaters

    The "all in one" approach to updating typically only works if every single executable is open-source and the developer is willing to relinquish control over the distribution of their product. And believe it or not, repositories sometimes get compromised, which is one reason why some software developers prefer not to cede control over that critical part of the chain to 3rd parties.

    And while it's a nice utopian fantasy, the whole universe of software will not all become open-source in my lifetime. So, we are sometimes stuck with a bunch of proprietary updaters. Which I don't have a huge problem with if they are GOOD proprietary updaters. Pity how many unnecessarily lousy ones exist.

    Some day some places may actually mandate a minimum level of software quality for some products, especially when its code flaws have a widespread effect on the well-being of the populace. Just like laws that attempt to ensure little things like the automobile you drive has brakes that actually work.

    1. Maventi

      Re: Linux updaters

      Wrong; existing Linux package managers work fine with free and proprietary software alike. The vendor simply hosts their own repository that the system updater (either Yum/DNF or Apt) uses. Vendor gets control, end user gets simplicity.

      See Google Chrome for a great example of how this is done, and it works extremely well.

      There is nothing worse than managing redundant update applications on any OS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like