来自:venturebeat

Firefox security glitch exploited by malicious ad that could steal users’ local files


Heads up, Firefox users — Mozilla is urging you to update your browser post-haste, after a rogue advertisement on a Russian news site was found to be exploiting a vulnerability that compromised Firefox users’ local files.

Firefox用户注意了——Mozilla敦促你尽快快更新你的浏览器,一个俄罗斯新闻网站的流氓广告被发现正在利用漏洞来窃取Firefox用户的本地文件。

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer,” explained Mozilla’s security head, Daniel Veditz, in a blog post.
“该漏洞来自互动机制,它会强制执行JavaScript和Firefox的PDF查看器”,Mozilla的安全主管Daniel Veditz,在一篇博客文章解释说。

In effect, the attacker was able to circumvent Firefox’s security and inject a malicious script that searched for key files on a user’s machine and then uploaded them to a remote server, thought to be located in the Ukraine. This would’ve applied to anyone loading the page with the exploit on it — and the exploit left no trace, according to Mozilla.

实际上,攻击者能够绕过Firefox的安全系统并注入恶意脚本,寻找用户机器上的关键文件,然后将其上传到被认为位于乌克兰的远程服务器。它不会留下痕迹,根据Mozilla提供的信息。

The issue was reported on Wednesday, August 5, with a security update issued yesterday. While Mozilla says only Windows and Linux users were apparently targeted, the malware could easily be adapted for Mac users too — so everyone is encouraged to update to the latest version.
该问题是在八月五日星期三,即昨天和一个安全更新一起发布。而Mozilla表示此恶意软件虽然显然是针对Windows和Linux用户的,但它也可以很容易地被修改为针对MAC用户,所以所有人都应该去更新到最新版本。
Even if you haven’t visited the Russian news site in question, it’s not known whether the ad has been deployed elsewhere. Firefox for Android, and other Mozilla products that don’t sport the built-in PDF Viewer, are not affected.
即使你没有访问俄罗斯新闻网站的问题,但你也不知道该广告是否已在其他地方部署。Firefox的Android版本,和其他没有安装内置PDF阅读器的Mozilla产品,不受影响。
While ad-blocking is still frowned upon by many, this latest incident could provide people with added justification for using ad-blocking software on their computers.
虽然广告拦截仍然遭到许多人的不满,但这一最新事件可以给人们提供了他们电脑上使用广告拦截软件的理由。