Firefox has had its own internal PDF viewer for a while now, and it’s enabled by default. When you click on a PDF file link in Firefox, it will do one of the following: a) open with Firefox’s internal viewer; b) open with a PDF viewer plugin such as Adobe’s Reader plugin; or c) download and open with an external viewer. Unfortunately, PDF files can also be embedded on web pages, in which case there’s no need to click on anything to view them; merely visiting a web site with an embedded PDF will show the file’s contents. Worse still, some advertising platforms serve ads in the form of PDF files.
Now comes news that a newly-discovered vulnerability in Firefox’s internal PDF viewer is being actively exploited on at least one advertising network, and that malware-containing PDF ads were recently observed on a Russian news site.
Mozilla confirmed the bug and quickly released Firefox 39.0.3 to address it. All users are strongly encouraged to update Firefox as soon as possible.
But there’s more bad news. There’s no way to know whether this vulnerability has been exploited elsewhere on the web. There’s no reason to assume that only one Russian news site was affected, or that infected ads haven’t already appeared on other ad networks and web sites. If you use Firefox with the internal PDF viewer enabled, there’s a chance your computer ran a malicious script at some point. If you run a script blocker like Noscript, and you haven’t altered its default behaviour, you were probably protected.
The only known instance of a malicious script that exploits this vulnerability looks for configuration files related to Subversion, Pidgin, Filezilla, and other FTP applications on Windows systems. If you have any passwords stored in these configuration files, you should consider changing those passwords.
You might also want to consider disabling Firefox’s built-in PDF viewer. To do that, enter ‘about:config’ in the address bar. You’ll see a warning; confirm that you want to proceed by clicking the “I’ll be careful” button. In the Search box, enter ‘pdfjs.disabled’. One setting should appear in the list below. If the setting is currently ‘false’, double-click it to change it to ‘true’. This will prevent embedded PDFs from being shown on web pages.