
Firefox exploit found in the wild - _jomo
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
======
cesarb
How many PDF.js security vulnerabilities have been found so far?

A quick Google search found only four:

[https://www.mozilla.org/en-
US/security/advisories/mfsa2013-9...](https://www.mozilla.org/en-
US/security/advisories/mfsa2013-99/) (another local file disclosure)

[https://www.mozilla.org/en-
US/security/advisories/mfsa2015-3...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-33/) (needs to be "combined with a separate
vulnerability" to be exploitable)

[https://www.mozilla.org/en-
US/security/advisories/mfsa2015-6...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-69/) (needs to be "combined with a separate
vulnerability" to be exploitable)

[https://www.mozilla.org/en-
US/security/advisories/mfsa2015-7...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-78/) (this one)

It still is looking better than the plugin it replaced.

~~~
verroq
>It still is looking better than the plugin it replaced.

Exploiting a bug in a memory unsafe language is much harder than writing some
JavaScript. It is also much less reliable and platform specific.

The real question is why the hell is Firefox not sandboxed?

~~~
zobzu
If you enable e10s in nightly it is I suppose thats coming up eventually to a
releaae near you

------
jacquesm
I don't even want my browser to have a 'local file context', is there a way to
switch such behavior off entirely until explicit permission is given?

All these extra bells and whistles added to browsers to allow websites to
pretend they're 'native apps' should require a very large switch to be thrown
from 'safe' to 'unsafe' whenever an application requests such a thing. And
what a pdf reader has to do with javascript is a mystery as well. Systems that
are too complex are almost by definition insecure.

~~~
fluidcruft
Maybe run it inside a chroot jail? Hmm... that sounds like a good idea just on
principle... there goes my morning. Of course, X11 is still a problem.

~~~
slasaus
"making firefox less insecure":
[http://marc.info/?t=141616714600001&r=1&w=2](http://marc.info/?t=141616714600001&r=1&w=2)

and for those who think lynx is a more secure alternative, read this thread:
[http://marc.info/?l=openbsd-
tech&m=140516601718662&w=2](http://marc.info/?l=openbsd-
tech&m=140516601718662&w=2)

~~~
yellowapple
That flamewar there in the lynx thread sure looked fun :)

------
Nanzikambe
The lack of additional detail in this very sparse announcement really
compromises users' ability to damage control effectively.

Would like to know if an installation is vulnerable if:

    
    
        1) If Applications, PDF is set to "Always ask"
        2) Ublock and/or privoxy are used
        3) Javascript is disabled
        4) pdfjs.previousHandler.alwaysAskBeforeHandling == false
        5) pdfjs.disabled == true
    

Also which advertising network and which Russian site would be helpful for
blocklists.

~~~
fukusa
Hi,

I reported this 0-day. It used a PDF.JS same origin policy violation to access
local files. You should be safe because you have javascript disabled and
pdfjs.disabled set to true. There's no way for the script to run. It was on a
international news website operating from Russia. The exploit was not on an ad
network. The exploit was simply injected on every news article page through an
iframe. Therefore I assume the news site was compromised. It could have been
deliberately injected by the website operators, but I highly doubt it. The
exploit targeted developers or tech-savvy people. On Linux, it targeted the
contents of the ~/.ssh directory and some other sensitive files. I should say
that I am not a security expert and I came across this 0-day by accident.

~~~
stevenh
Please identify the exact international news website. Was it rt.com?

~~~
fukusa
No it was not. I'm not sure if I should mention which website it was (yet).
The exploit is still active. I am trying to get in touch with them to get it
removed.

------
lorenzhs
Once again, this demonstrates that blocking advertisements is a really good
idea from an InfoSec perspective. Ad blocking not only abates a nuisance, it's
an important security measure.

cf
[https://twitter.com/swiftonsecurity/status/62840155490772582...](https://twitter.com/swiftonsecurity/status/628401554907725824)

~~~
serve_yay
By that logic it's more like an argument for disabling JS entirely - there is
nothing about this that's specific to ads, and the reporter has speculated
that it was placed by an attacker and only disguised as an ad.

~~~
lorenzhs
Not executing any JS is safer, sure, but that's beside the point. If you
strive for absolute security, power off your computer and never touch it
again. This is about what you can do to improve the situation without
impairing usability.

An adblocker doesn't impact usability (in most cases, it improves it
significantly, through lower page load times and less space occupied by non-
content), but prevents the vast majority of malvertising. Blocking all
Javascript blocks all of them, but makes the modern web nearly unusable.

~~~
mat2
Unfortunately, an adblocker impacts income of site owners. Otherwise, I would
have used these programs since a long time, but now my conscience does not
allow it.

~~~
tripzilch
Well, they can ask my conscience to not run an adblocker because otherwise it
impacts their income. If it was just that.

But they cannot ask my conscience to open myself up to security issues because
otherwise it impacts their income.

(note that I have read the rest of the thread and am aware that simply running
an adblocker wouldn't have prevented this exploit)

(second note/disclaimer is that I do run µBlock, for the personal reason that
I feel they also cannot ask my conscience to open my attention to energy-
draining distractions because otherwise it impacts their income)

~~~
lorenzhs
Note that uBlock can be configured to block third party frames, which _would_
have prevented the exploit

------
lloydde
I find the first sentence fascinating, "Yesterday morning, August 5, a Firefox
user informed us...".

I'd love to know more about this person and their skill set. How was the
exploit detected and isolated? How did this issue get reported and resolved in
s day?

Assuming the Mozilla way, I wonder what the bugzilla report will read when it
comes out of embargo.

~~~
fukusa
It's me. I discovered the exploit in the wild when I became a victim of it.
Skill-set limited. I was able to identify it and understand what it basically
does, but not much more.

~~~
lloydde
Modest too, "The script triggered a file dialog showing it was trying to
access a local file. I opened the Developer Tools and saw all kinds of other
files being accessed, including my private and public keys. I nearly got a
heart attack. I quickly revoked all SSH keys and started monitoring the
requests to narrow it down before I submitted the bug ticket with all the
information I had, including the exploit script that was executed."

Wow, lucky that it triggered a prompt. Thanks for the response!

~~~
fukusa
You're welcome. Yeah, that's exactly how I feel.

------
aembleton
If at all possible it would be worth naming and shaming the advertising
network that is allowing this exploit through.

Why do advertising networks allow advertisers to exectue Javascript? What need
is there for it?

Every time one of these exploits that use advertising networks is found, it
just increases the value of blockers such as uBlock. Whether you accept
adverts or not, you shouldn't have to accept javascript being executed on your
machine that isn't from the site you visited.

~~~
jacquesm
The networks themselves rely almost exclusively on javascript nowadays so the
websites have little choice, the ad networks then in turn pass some or all of
this trust to whoever makes the creatives, which up until recently were quite
frequently done in flash and are now sometimes in javascript.

Personally I think all ads should be served up in a totally passive visual
format (png, jpeg, gif) and have no other attributes than a non-javascript
link target. That would take care of almost all drive-by injection. But
adnetworks serve up what their customers want and their customers want
interactive ads because the click-through rates are higher and because
otherwise the competition would be doing it and they go out of business.

Ad networks that do serve up javascript should at a minimum pull the script to
their own server and audit the code of the script. Good luck with that though.

Fortunately it's easy enough to install an ad blocker and get rid of that part
of the problem entirely but it would be nice if users without an ad blocker
wouldn't have to worry about this.

~~~
aembleton
I agree. It's actually the animation of the adverts that I find most
distracting. Text, and/or a static image - not an animated gif would be fine.
I would enable ad networks that could guarantee that is all they will serve
up.

~~~
juliangregorian
The distraction is the point. It's no use enabling only the ads that you're
easily capable of ignoring.

------
ffuseronlinux
I believe using "about:config" and setting "pdfjs.disabled" to "true" will
neutralize the vulnerability, at least from the description they gave of it,
but confirmation from them to that effect would be appreciated, especially for
users stuck on the current (or older) version, as the download page
acknowledges some might be:

 _Note: If you use your Linux distribution 's packaged version of Firefox, you
will need to wait for an updated package to be released to its package
repository_

It would be particularly scandalous if they knew that disabling pdfjs would
suffice yet refused to mention it because they couldn't bear to see their
precious CPU/memory-hogging scribd knockoff no one asked for being disabled by
their users, in effect putting their grandiose vision of the browser-as-OS
ahead of their users' security.

------
Silhouette
Some more details would be helpful here. Specifically:

1\. If PDF files aren't set to open using Firefox's built-in PDF viewer, was
the relevant system still vulnerable? (That is, if under
Options->Applications, PDFs were set to something other than "Preview in
Firefox", would this attack still work?)

2\. Which were the 8 popular FTP clients potentially affected?

3\. Was this specific case all that could be done or was it an example of a
wider class of potential exploits? (That is, can we actually trust any
sensitive credentials in _any_ applications on any system that has been
running Firefox before today? And could we have disclosed other sensitive
information that was held in well known local files?)

I do deal with sensitive details, and have access to lots of external systems
run by various clients. If there is a real danger here then I need to act. If
there isn't, then I would prefer not to spend the next 1-2 days of my time
updating everything that could have been silently compromised instead of doing
revenue-generating work, and worse, contacting every client I work with to
notify them that their security may have been compromised and it's my
responsibility.

~~~
jacquesm
I'm roughly in the same boat as you but what I don't get is if your work is
that sensitive then why don't you run with at least ghostery, umatrix and
adblock on your machine?

The last thing I need is to have to contact a customer to tell them their data
might have escaped my desktop computer because I took my browser to some
unsafe site.

Also: start your browser in a VM.

~~~
snvzz
Rather than ghostery:

[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

~~~
ZeroGravitas
Not compatible with Firefox 40?

------
mike-cardwell
I'll just chuck this old blog post of mine out there:

[https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...](https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks)

Specifically, the "Securing the Web browser" section.

[edit] Also worth mentioning is the stuff about smartcards on that blog post.
You can steal my ~/.ssh/ and my ~/.gnupg/, but because I'm using a smartcard,
it wont do you any good.

~~~
pmoriarty
That's a great post. Very thorough. However, a couple of observations
concerning some security issues you might not be aware of:

First, X itself is very insecure, so by allowing your web browser to share the
same X server as the rest of your apps, you are making the rest of your apps
more vulnerable.

Second, the so-called "Trusted" Platform Module you're using for extra entropy
may itself not be very trustable, despite the name. So you may want to rethink
that.

Finally, according to the vendor of the GPG smartcard you're using, "the
software on this card is not available as free software due to NDAs required
for certain parts."

That there are NDAs on parts of the card or the software (it's not clear
which) makes the card suspect, and I don't see where I can get the source of
the code (free or not) that's running on the card. An ideal smart card would,
like gpg itself, have completely open and transparent hardware and software.
I'm not sure if any of those kinds of cards exist, however.

That said, I'm sure all the security measures you're taking in sum make you
far better off than the typical computer user, but there's room for
improvement.

~~~
mike-cardwell
Re X being insecure. Yep. People have brought this up in the comments of the
blog post. It doesn't _reduce_ security by shifting it to a different user,
and no, it's not as good as running under a VM. However it does give it _some_
extra protection. For example it would have protected your main users ~/.ssh/
and ~/.gnupg/ directories etc that this latest pdf.js vulnerability could have
exposed.

Re the TPM, even in the worse case scenario where the TPM is totally evil, it
can't _reduce_ the randomness on my system. It will either keep it the same or
improve it. At least on Linux, where it is just one extra source of entropy on
top of the other existing ones.

Re the smart card, that may be the case, but it's probably the safest one out
there, recommended and pushed by the guy who wrote GnuPG.

It's worth noting that the blog post is 4 years old now.

------
jonaslejon
Since the vulnerability is in pdf.js, is the Tor Browser Bundle vulnerable?

~~~
asddubs
the latest versions come with noscript, so not unless you explicitly enable
javascript on that site

~~~
sp332
NoScript is installed but disabled by default.
[https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna...](https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled)

------
chilicuil
Updating software shouldn't give a sense of security, instead use
sandbox/cipher technologies more generalized, for firefox you could use
firejail[0] or sandfox[1].

Or even more general approaches like subuser[2] or QubeOs[3].

Personally I use FF 28.x + Noscript + Adblock plus + Firejail 0.9.28-1 and I
feel quite confident I won't get hacked by random attacks.

[0] [https://l3net.wordpress.com/2014/09/19/firejail-a-
security-s...](https://l3net.wordpress.com/2014/09/19/firejail-a-security-
sandbox-for-mozilla-firefox/)

[1] [https://igurublog.wordpress.com/downloads/script-
sandfox/](https://igurublog.wordpress.com/downloads/script-sandfox/)

[2] [http://subuser.org/](http://subuser.org/)

[3] [https://www.qubes-os.org/](https://www.qubes-os.org/)

------
callum85
It's awesome that Mozilla detailed exactly what the exploit did, even which
file paths it searched for.

~~~
fukusa
The exploit basically uploaded the contents of a bunch of sensitive files to
some server. Besides uploading the full list of files in the User directory
(not the contents of the files) it uploaded the contents of the following
files:

Linux: /etc/passwd, /etc/hosts, /etc/hostname, /etc/issue, .bash_history,
.mysql_history, .pgsql_history, .ssh/known_hosts, .ssh/authorized_keys _, .ssh
/id__sa _, .remmina /_.remmina, .remmina/ _.pref, .config /filezilla/_.xml,
.filezilla/ _.xml,_ pass _.txt,_ access _.txt,_.sh,
.config/psi+/profiles/default/accounts.xml

Windows (in the User directories AppData/Roaming and Application Data):
Subversion: config, servers, auth/svn.simple/* , auth/svn.simple/* .*
SmartFTP: Client 2.0/Favorites/Quick Connect/* .xml Psi+:
profiles/default/accounts.xml Notepad++: plugins/config/NppFTP/NppFTP.xml
.purple: accounts.xml s3browser: * .xml, * .settings FileZilla: filezilla.xml,
sitemanager.xml, recentservers.xml FTP Explorer: profiles.xml FTPRush:
RushSite.xml FTPGetter: servers.xml FTP Now: sites.xml FTPInfo:
ServerList.cfg, ServerList.xml GHISLER: wcx_ftp.ini Ipswitch:
WS_FTP/Sites/ws_ftp.ini VanDyke: Config/Sessions/* .ini

~~~
andy112
Hi, I run the site
[https://scriptobservatory.org](https://scriptobservatory.org), which scans
the internet and keeps track of what JavaScript people are sent as they browse
the internet. Could you drop me an email with a copy of the exploit script (OR
a list of a few unique strings found in the exploit script)?

With that, I can search the history of what we've been sent to get a list of
all webpages that this exploit has been seen on.

Email is scriptobservatory -at- gmail -dot- com or you can input it in the "Do
you have a list of websites you want to be scanned regularly?" text box.

~~~
fukusa
Cool, done!

~~~
a_cherepanov
Hi. I work as malware researcher in ESET. Could you please share sample and
malicious URL? email: cherepanov [at] eset [dot] sk

~~~
fukusa
Done.

~~~
Kadilov
Hi fukusa, I know a Russian website (not a news site, it is webdev oriented)
that triggers some PDF error in Firefox 35 and does not do that with latest
Firefox 39.0.3. I sent a bug report to owners 6 days ago (just because PDF
errors on a webpage are strange) and they have not fixed it yet. Could you
check this website? I can send you an URL the way you prefer.

~~~
fukusa
I'm not a security expert. If you have a bug report you'd better report it to
Mozilla here: [https://bugzilla.mozilla.org/](https://bugzilla.mozilla.org/)

------
johnnydoebk
Well, sending some user files to Ukrainian server is a bug.

But sending hashes of your downloads to Google [1][2] is a feature, right?

1\. [https://support.mozilla.org/en-US/kb/how-does-phishing-
and-m...](https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-
protection-work) 2\.
[https://bugzilla.mozilla.org/show_bug.cgi?id=1138721](https://bugzilla.mozilla.org/show_bug.cgi?id=1138721)

~~~
sp332
The first page says: "There are two times when Firefox will communicate with
Mozilla’s partners while using Phishing and Malware Protection. The first is
during the regular updates to the lists of reporting phishing and malware
sites. No information about you or the sites you visit is communicated during
list updates. The second is in the event that you encounter a reported
phishing or malware site. Before blocking the site, Firefox will request a
double-check to ensure that the reported site has not been removed from the
list since your last update." That seems pretty reasonable. But the second one
looks like it checks every executable file you download. Why isn't that
mentioned on the FAQ?

~~~
rockdoe
It is? Same FAQ page you listed:

"When you download an application file, Firefox will verify the signature. If
it is signed, Firefox then compares the signature with a list of known safe
publishers. For files that are not identified by the lists as “safe” (allowed)
or as “malware” (blocked), Firefox asks Google’s Safe Browsing service if the
software is safe by sending it some of the download’s metadata."

~~~
sp332
I don't suppose I could just disable that part, without disabling the part I
quoted above?

~~~
rockdoe
You can in about:config, just Google for it.

------
ergothus
All the comments thus far have focused on the un/reasonableness of the
vulnerability, plus some potshots at FF.

I've not seen any discussion about how this exploit is targeting dev keys. I
find that as a data point that we've turned the corner: The coder in this case
decided to grab auth keys/passwords (with a presumably low rate of success).

As logical as it may be (without RCE, not much more they could have done with
a higher rate of success), I don't think it'd have been done ten years ago.

Fascinating.

~~~
fukusa
As far as I understand with this exploit it was only possible to read files,
not write to them or compromise the targets in some other way. With that in
mind, it makes sense to target keys. Because the keys are an indirect way to
compromise new targets.

------
mrbig4545
I guess now is a good time to change my ssh keys. _joy_

even though I don't use pdf.js, have ublock and a strong key password, I'm not
risking it.

I have access to so many servers, I'd rather spend 30 mins changing keys than
take the chance

------
0xffffabcd
Yet another reason to use uBlock and NoScript.

previous discussion:
[https://news.ycombinator.com/item?id=10020361](https://news.ycombinator.com/item?id=10020361)

------
tacone
> Yesterday morning, August 5, a Firefox user informed us that an
> advertisement on a news site in Russia was serving a Firefox exploit that
> searched for sensitive files and uploaded them to a server that appears to
> be in Ukraine.

Which russian website, excuse me? Why not share the name?

------
jebblue
Browsers are supposed to _browse_ that's all. More and more stuff like this
will come up with HTML5/JavaScript and people will begin to wonder why the
world is jumping through all the JavaScript hoops to build a web app that is
essentially a rich client app when they could use tools that are designed for
that. Are they more or less secure, neither, once you can touch the user's
filesystem the risk is the same which is why it still baffles me that
developers actually want to code in JavaScript and dozens of one off libs when
they could use first class tools which are far better designed. Browsers are
supposed to browse, that is _all_ they are supposed to do.

~~~
andrepd
What is browsing, then? Read-only? Are forums browsing, or interactive apps?
Where do you draw the line?

I'm all for less bloat, and I can't figure why would a browser double as a PDF
reader, for instance, when a native app is invariably faster, more feature-
rich, more customisable and more secure. However, it's difficult to draw a
concrete line between plain browsing and web apps.

~~~
TazeTSchnitzel
> I can't figure why would a browser double as a PDF reader, for instance,
> when a native app is invariably faster, more feature-rich, more customisable
> and more secure.

A native app is _less_ secure. They're all written in memory-unsafe languages,
are not guaranteed to be up-to-date, and do not run sandboxed. Integrating a
JS PDF viewer into the browser hurts performance, but it's more convenient (no
separate app to open, can start reading before it finishes downloading), and
much less likely to be a security risk.

~~~
jebblue
>> A native app is less secure. They're all written in memory-unsafe
languages, are not guaranteed to be up-to-date, and do not run sandboxed.

So how can we even trust the browser if native apps are always less secure
according to you?

The exploit ran despite the sandbox if I understood it right.

~~~
pcwalton
I don't understand the reasoning here at all. Are you arguing that because
sandboxes sometimes have holes in them that they aren't worthwhile?

------
currysausage
Semi off-topic: What does the security track record of Chrome's integrated PDF
viewer (PDFium) look like? Should I make it Click-to-play or is it about as
secure as any other part of the browser?

Edit: NVD does list a bunch of vulnerabilities with "PDFium" in them [1], and
I guess there are a few more from when it wasn't called PDFium yet, but I'm
curious as to how an expert would interpret these numbers.

[1] [https://web.nvd.nist.gov/view/vuln/search-
results?query=pdfi...](https://web.nvd.nist.gov/view/vuln/search-
results?query=pdfium&search_type=all&cves=on)

~~~
async5
And even latest here
[http://googlechromereleases.blogspot.co.il/2015/07/stable-
ch...](http://googlechromereleases.blogspot.co.il/2015/07/stable-channel-
update_21.html) \- 5 of them has pdfium

~~~
currysausage
Guess I will click-to-play PDFium, like all other plug-ins. Thanks!

~~~
async5
There is also [https://chrome.google.com/webstore/detail/pdf-
viewer/oemmndc...](https://chrome.google.com/webstore/detail/pdf-
viewer/oemmndcbldboiebfnladdacbdfmadadm) :)

------
segmondy
time to start running everything in it's own container, i don't like the idea
of docker for production, but i like the idea of docker for my desktop, i want
to now run every single command in a container, i can run firefox in a linux
container, eg.
[https://bbs.archlinux.org/viewtopic.php?id=196327](https://bbs.archlinux.org/viewtopic.php?id=196327)

------
mrob
The article claims this exploit leaves no trace, but what about Linux atimes
(assuming you don't have noatime set)? Eg. if you found multiple shell scripts
with similar access times when you know you haven't worked on them at the same
time. If this is a workable method of detection then it would be a good idea
to avoid accessing any potentially affected files until you have recorded full
access times.

------
ctb_mg
These browser vulnerabilities have got me thinking that I should start
browsing in a VM. Has anyone moved to this level of isolation? Steve Gibson on
the last Security Now podcast said he's been experimenting with Sandboxie...

Sandboxie looks like a paid closed source solution, I'm not sure they give me
a compelling value proposition over something like a light linux distro under
VirtualBox.

~~~
Nexxxeh
I was for a while, using a W7 VM on VirtualBox. I hooked it up to the VPN
interface so that if the VPN dropped, I wasn't leaking traffic and it couldn't
access the local network or host machine without significant difficulty.

It was initially for minimising the risk of false positives while testing
remote access from the network I was on at the time.

Probably not enough to be hacking NSA, but it quickly added layer of
protection from leaking stuff.

------
51Cards
I sit on the Firefox Beta channel; not seeing an update at the moment. Any
word on the status of this?

~~~
51Cards
Update: Just received an update to the latest Beta of 40.0. Haven't found the
change log but assuming this was the reason.

------
timthelion
This is why everyone should consider running their web browser in a subuser:
[http://subuser.org](http://subuser.org)

------
legulere
And this is why we need working sandboxing on the desktop.

~~~
rockdoe
If you enable e10s in Nightlies you will get sandboxing.

------
mtgx
Great, I applied the update, and now I got "Couldn't load the XPCOM", and I
assume I have to reinstall Firefox.

------
nandhp
Could this exploit also be used to write to files? I have a feeling that it
probably could, and that makes it even scarier.

------
riquito
This exploit made me change my Ubuntu mirror because after hours the updated
package wasn't yet in my configured mirror (but was available elsewhere).

If you need it too, here's the list

[https://launchpad.net/ubuntu/+archivemirrors](https://launchpad.net/ubuntu/+archivemirrors)

------
ommunist
I am not security pro, but I wonder if server-side installations of PDF.js are
exploitable? WordPress plugins using PDF.js, can these become a new vector to
attack webservers? Case, site uses PDF.js plugin to render pDFs for users. Is
it possible to access server filesystem through PDF.js?

~~~
async5
There are not exploitable (at least not the same way). Firefox PDF viewer is a
modification of PDF.js, so PDF.js code would run in the browser without a web
server. The exploit might poke a hole in EMBED tag security of the web browser
(and not in the PDF.js code itself). WP plugin shall be safe as any web
application (unless it introduces similar security hole in its code, e.g.
XSS).

------
Rexxar
Why the new version number is "39.0.3" ? Did I miss "39.0.1" and "39.0.2" ?

~~~
dveditz_
39.0.1 and 39.0.2 fixed serious regressions in Firefox for Android in some
configurations. They weren't security fixes.

~~~
Rexxar
Thanks, I didn't know the version numbers where global for every platforms.

------
ck2
This is why I disable PDF viewing in any browser and have it send it to
sumatraPDF instead

------
joosters
Firefox's 'About' page seems to lack enough information here.

My page just said 'Firefox 39 available' and 'restart to upgrade'. But the
exploit page notes that you need version 39.0.3 in order to be protected. So
it's unclear if the upgrade would fix things or not.

~~~
tempestn
Once you've updated, the About Firefox modal will show you the exact version
number you're on.

~~~
ptha
Exactly, I had "Firefox 39 available", once I'd updated and checked "About
Firefox", it's version 39.0.3

------
hornbill
Out of curiosity, how many users will be opening pdf using pdf.js? Is it
widely used?

I was never comfortable with pdf.js and changed the setting to use the default
pdf viewer in all my machines.

~~~
sanxiyn
I uninstalled PDF viewers and always use pdf.js to view PDFs these days.

~~~
hornbill
I guess pdf.js will be advantageous if you are using browser always.

Most of the times, I have multiple pdf files open side by side. So I had a pdf
viewer in the machine.

------
raldu
PDF.js reader can be disabled in Firefox by setting "pdfjs.disabled" value to
_true_ in "about:config".

------
meapix
For PDF, I never view pdf using browser, save it then open it using your pdf
viewer.

------
wnevets
just more reasons to run ad blocking software

------
6d6b73
That's what you get for making the web browser a platform to run applications.

------
bitmapbrother
I wonder if Firefox is going to disable itself.

------
Grue3
Another good idea is to never visit news sites based in Russia. Not only you
won't get infected with random malware, you also won't have to read blatant
propaganda that passes as "news" over here.

------
drvortex
Why is anyone still using this browser anyway? Firefox is the new IE6.

~~~
jacquesm
Because it is the only browser that is not tied hand-and-foot to some major
global commercial player, and because each and every browser ever launched had
security issues.

Even lynx is not immune:

[http://www.cvedetails.com/vulnerability-
list/vendor_id-5836/...](http://www.cvedetails.com/vulnerability-
list/vendor_id-5836/product_id-9869/Lynx-Lynx.html)

~~~
nilved
> Because it is the only browser that is not tied hand-and-foot to some major
> global commercial player

Not close to true. There are hundreds of browsers out there. I used Surf[0]
and Xombrero[1] for a number of years.

[0] [http://surf.suckless.org](http://surf.suckless.org)

[1]
[https://opensource.conformal.com/wiki/xombrero](https://opensource.conformal.com/wiki/xombrero)

~~~
meapix
thank you! first time I hear about xombrero

