Firefox users, here's a security flaw you'll need to fix

This bug can upload files from your computer if you visit the wrong news site. But you can close up the hole by downloading the latest version of the browser.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

You'll need to update to the latest version of Firefox to squash a new bug. screenshot by Lance Whitney/CNET

Another day, another security flaw -- this one affecting Mozilla's Web browser, Firefox. But this one is easy enough for you to fix.

On Thursday, Mozilla revealed a vulnerability in its browser that was discovered by a Firefox user. An ad on an unnamed news site in Russia was able to tap into the vulnerability to upload certain files from a user's computer to a server apparently based in the Ukraine. Exploiting Firefox's PDF Viewer and its use of the widespread JavaScript code, the hack seems to capture only "developer focused" files -- think FTP (file transfer protocol) -- at least in Windows. Your personal files and data aren't caught in the attack, but the hack is still alarming.

Has the world grown weary of security hacks and exploits at this point? Each day, those who browse the Web or use Windows or Adobe Flash or numerous other products seem to face yet another security worry. Even the Mac OS, which has long held a reputation as being secure, isn't immune. Software is imperfect, and hackers are always going to find a way to exploit certain weaknesses. So what do we do? Protect our computers with security software. Be careful of where we go and what we do on the Internet. Hope that vendors quickly find and fix the vulnerabilities. And Mozilla had done just that.

Released on Thursday, the latest version of Firefox -- version 39.0.3 -- contains a fix for the security hole. Mozilla is urging all Firefox users to upgrade to this latest version.

To update Firefox to the latest version, click on the Help menu from the Menu Bar or the Firefox button in the upper left corner. Then click on the setting for About Firefox. If you don't already have the latest version, you should see a button that reads "Update to 39.0.3." Click on that button, and Firefox will automatically update itself to the new, secure version, and then prompt you to restart it.

The vulnerability affects both Windows and Linux. It does not affect the Firefox mobile app for Android as that program does not contain the PDF Viewer. It has not affected Macs as of yet, but Mozilla said that Apple's OS X would not be impregnable if someone were to target it. People who use software that blocks ads on the Web may have been protected from the security flaw, but that depends on the specific program and filters in place.

Mozilla expressed surprise at the types of files that were targeted.

"The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don't know where else the malicious ad might have been deployed," Mozilla security lead Daniel Veditz said in Thursday's security blog.

Veditz added this sobering thought: "The exploit leaves no trace it has been run on the local machine."