My Thoughts on Technology and Jamaica: Mozilla Firefox's PDF Viewer vulnerability - How to hack Mozilla @Firefox Browser and How to prevent the Firefox PDF Viewer Vulnerability

Saturday, August 8, 2015

Mozilla Firefox's PDF Viewer vulnerability - How to hack Mozilla @Firefox Browser and How to prevent the Firefox PDF Viewer Vulnerability

There is no end to what's been revealed while DefCon and Black Hat Hacking Conferences are going on in Las Vegas, Nevada.

I recently learned that almost 90% of all Google Android smartphone can be remotely controlled via the StageFright vulnerability. This was discovered by Security Firm Zimperium zLabs as reported in my blog article entitled “Security Firm Zimperium reveals StageFright Bug – Why Automated Video Playback in @Google @Android is a Hacker's Thermonuclear War”.

Mozilla has announced that their Firefox Browser has a vulnerability that allows anyone to remotely steal your files as reported in the article “Firefox users, here's a security flaw you'll need to fix”, published August 7, 2015 by Lance Whitney, CNET News.



The hack was revealed to the Mozilla Foundation by a very faithful user, Security researcher Cody Crews, who they tipped their hat to in their Press Release on Thursday August 6th 2015 in the post “Same origin violation and local file stealing via PDF reader”.

So how does this hack work in a nutshell??

Mozilla Firefox's PDF Viewer vulnerability - How to remotely hack via Mozilla Firefox Browser

Apparently a News site in Russia was able to demonstrate the exploit, which exists in Firefox's PDF Viewer which is written with JavaScript as explained in the article “Update Firefox now: major vulnerability could steal your data”, published August 7 2015 by Owen Williams, The Next Web.



Theoretically, a hacker can gain access to your computer by creating a website that has a PDF (Portable Document File) file on it and then send you a link to their website.

You then click on the PDF document and the Firefox's PDF Viewer goes to work, opening the PDF document in your Firefox Browser for viewing. However, the vulnerability that exists in the JavaScript code for the Firefox's PDF Viewer allows the hacker's website to inject an executable script which the JVM (Java Virtual Machine) running on your computer.

In short, you merely need to only visit the infected website, download a PDF File from that hacker's website and you're infected, not much different from the StageFright vulnerability for Google Android smartphones as described in my blog article entitled “Security Firm Zimperium reveals StageFright Bug – Why Automated Video Playback in @Google @Android is a Hacker's Thermonuclear War”.

Thus the hacker via their website can remotely log into your computer and search and upload local files. But what's even more troubling is that it works on ANY computer that has JVM or can run it Windows, Linux or Mac OS, if the hacker is sufficiently skilled or motivated. 

Luckily, the exploit can only target System Files that would only be of concern to developers, such as FTP configuration files, subversion, .purple and Log files with personal information on Windows and Linux computers.

Defense Against the Dark Arts - How to prevent the Firefox PDF Viewer Vulnerability

We're lucky that Security researcher Cody Crews spotted it early and reported it to Mozilla Firefox. Albeit potentially as widespread and the StageFright vulnerability is on Google Android, it isn't as pervasive, as the Browsers isn’t baked into your Macbook Pro, Windows 8 or Ubuntu Linux computer.



A simple upgrade to Mozilla Firefox version 39.0.3 from 38.1.1 and the application of a patch by Enterprise users can defend you from this attack as pointed out in “Mozilla is patching a Firefox exploit that can hijack 'sensitive local files'”, published August 7, 2015 by Colin Lecher, The Verge.

Also educating you staff not to click on suspicious websites or email links as was the case in the JIS (Jamaica Information Service) hack as explained in my blog article entitled “Anatomy of ISIS hack of the JIS Website - How the @JISNews Website was hacked and Why Hactivists couldn't access sensitive GOJ Databases” can prevent this scenario from occurring.


No comments: