Mozilla updated Firefox to version 39.0.3 to fix a critical vulnerability undergoing attacks.
The company learned of the Zero Day Wednesday morning after a user let them know an ad displayed on a Russian news website had been serving an exploit designed to search for sensitive files on the victim’s system and upload them to a remote server.
The attacker has been targeting certain types of files hosted on Windows and Linux systems, Mozilla officials said. The exploit used in this attack does not target Apple devices, but the company warns Mac users are also at risk because a bad guy could adapt the payload.
The malware look for S3 Browser, Apache Subversion, and Filezilla configuration files; website configuration files for eight popular FTP clients; and .purple and Psi+ Jabber account information on Windows systems. On Linux, the exploit steals configuration files such as /etc/passwd; .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys; shell scripts; configuration files for Filezilla, Remmina, and Psi+; and text files whose name contains the strings “access” and “pass.” The stolen data uploads to a server located in Ukraine.
Mozilla said it is surprising the malware targets developer-related files considering it is on a news websites. However, it’s possible the exploit went out on other sites as well.
Firefox for Windows and Firefox for Linux users should change passwords and keys found in the files targeted by the attackers. The exploit does not leave any traces on the targeted system.
Mozilla patched the vulnerability with the release of Firefox 39.0.3 and Firefox ESR 38.1.1. Users should update update their installations as soon as possible.