Mozilla Firefox vulnerability (CVE-2015-4495)

Red Hat Product Security has been made aware of a security vulnerability in the Mozilla Firefox web browser. Specially crafted malicious web pages could read local files. This flaw has been assigned CVE-2015-4495 and is rated as having a Important impact. Red Hat would like to thank the Mozilla project for reporting this issue.

Background Information

A flaw was found in Mozilla Firefox, which could allow an attacker to access local files with the permissions of the user running Firefox.

The flaw was discovered in Mozilla Firefox's PDF file viewer (PDF.js). An attacker could create a malicious web page that, when viewed by a victim, could steal arbitrary files (including private SSH keys, the /etc/passwd file, and other potentially sensitive files) from the system running Firefox.

This bug is caused by a flaw in the Mozilla PDF.js file viewer, which can be used to bypass the Same-Origin Policy and allow malicious JavaScript to steal files from the system.

Impact

It is known that this flaw is being publicly exploited, and an exploit exists that specially targets Linux systems. All Red Hat products that use the Mozilla Firefox browser are affected by this issue.

Note: SELinux does not mitigate this issue. See Why doesn't SELinux confine desktop applications for details.

Security Advisories

See the security advisories below that fix this issue:

Product Advisory
Red Hat Enterprise Linux 5 RHSA-2015:1581-1
Red Hat Enterprise Linux 6 RHSA-2015:1581-1
Red Hat Enterprise Linux 7 RHSA-2015:1581-1

Resolution

To eliminate the possibility of exploitation, install the updated firefox packages that have been made available through the advisory listed in the above table and then restart the application.

To install the updates, use the yum package manager as follows:

yum update

To only update the firefox package and its dependencies, use:

yum update firefox

Mitigation

This flaw requires PDF.js to be enabled in Firefox. PDF.js can be disabled as follows:

  1. Type about:config in the Firefox address bar
  2. Search for the pdfjs.disabled entry
  3. Set the pdfjs.disabled entry to True

References

Mozilla advisory 2015-78
Mozilla Security Blog on this topic

Comments