A website in Russia has been caught exploiting a serious zero-day vulnerability in Mozilla’s Firefox browser, prompting the open-source developer to deliver an emergency update that fixes the flaw.The bug in a built-in PDF reader allowed attackers to steal sensitive files stored on the hard drives of computers that used the vulnerable Firefox version. The attack was used against both Windows and Linux users, Mozilla researcher Daniel Veditz wrote in a blog post published Thursday. The exploit code targeting Linux users uploaded cryptographically protected system passwords, bash command histories, secure shell (SSH) configurations and keys. The attacker downloaded several other files, including histories for MySQL and PgSQL and configurations for remina, Filezilla, and Psi+, text files that contained the strings “pass” and “access” in the names. Any shell scripts were also grabbed.
Read on, source: 0-day attack on Firefox users stole password and key data: Patch now! | Ars Technica