VUIT Security Notice: Vulnerability found in Mozilla Firefox
Vanderbilt IT would like to bring the following information to the technical community’s attention, especially those who use or support the Mozilla Firefox Web browser. A flaw was discovered in Mozilla Firefox that could be used to violate the same-origin policy and inject web script into a non-privileged part of the built-in PDF file viewer (PDF.js).
The vulnerability can be exploited by an attacker hosting a malicious PDF document on a web server that then leads to remote code execution. This vulnerability can be used to siphon data from the victim’s machine (including private SSH keys, the /etc/passwd file, and other potentially sensitive files) without leaving any trace that this has occurred.
Mozilla has released patch 39.0.3 that will resolve the issue. Due to the severity of the issue, the patch should be installed as soon as possible. A restart of the browser and a possible reboot of the machine might be needed in order to install the patch.
All versions of Firefox on all versions of all operating systems except mobile are affected.
Sources and References: