Friday, August 7, 2015

TenFourFox and MFSA 2015-78

Mozilla released Firefox 39.0.3 and ESR 38.1.1 to fix an underlying vulnerability in security principals that can be exploited through the built-in PDF viewer. The bug does not enable arbitrary code execution (that we know of) but can insert JavaScript into a local file context and enable certain privileged behaviours.

TenFourFox 31 does not have the PDF viewer enabled by default, so it is not known to be vulnerable in the shipped configuration. Several diligent attempts to exploit it through other means last night were fruitless, so while it may be possible, I doubt some bright person will manage to do so before the general availability of TenFourFox 38 this coming week. On the other hand, if you have enabled PDF.js in 31.8 through about:config, your browser is now in an unsupported and exploitable configuration, and you should turn it off. This is not true of regular Firefox ESR 31.8, which is vulnerable, and due to the impending end of support for that branch will not be updated.

The TenFourFox 38 betas are vulnerable. If you're using a vulnerable version of TenFourFox (or Firefox ESR, though you should really just update if you're on a Tier-1 platform), you should disable in-browser PDF viewing by setting pdfjs.disabled to true temporarily until 38.2 final is available, which is building as we speak and should be available to testers sometime tomorrow Pacific time. It includes minor cosmetic fixes for the gradient over the URL and bookmarks bars (I used Grafik's numbers since they seemed to work the best; thanks!), fixes the update interval and removes the unsupported Marketplace button from about:home.

No comments:

Post a Comment

Due to an increased frequency of spam, comments are now subject to moderation.