On the August 6th, the Mozilla Foundation released a security update for the Firefox web browser that fixes the CVE-2015-4495 vulnerability in Firefox’s embedded PDF viewer, PDF.js. This vulnerability allows attackers to bypass the same-origin policy and execute JavaScript remotely that will be interpreted in the local file context. This, in turn, allows attackers to read and write files on local machine as well as upload them to a remote server. The exploit for this vulnerability is being actively used in the wild, so Firefox users are advised to update to the latest version (39.0.3 at the time of writing) immediately.
In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.
Firefox Under Fire: Anatomy of latest 0-day attack
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.