- #FIREFOX FOR ANDROID INSTALL#
- #FIREFOX FOR ANDROID UPDATE#
- #FIREFOX FOR ANDROID ANDROID#
- #FIREFOX FOR ANDROID DOWNLOAD#
#FIREFOX FOR ANDROID UPDATE#
If you’re a Firefox for Android user, we suggest that you check whether you use the browser’s version 79, or even better, its latest version (80) if not, you should update your browser immediately.Android 3.0 Honeycomb (API level 11) / Android 3.1 Honeycomb (API level 12) / Android 3.2–3.2.6 Honeycomb (API level 13) / Android 4.0–4.0.2 Ice Cream Sandwich (API level 14) / Android 4.0.3–4.0.4 Ice Cream Sandwich (API level 15) / Android 4.1–4.1.2 Jelly Bean (API level 16) / Android 4.2–4.2.2 Jelly Bean (API level 17) / Android 4.3–4.3.1 Jelly Bean (API level 18) / Android 4.4–4.4.4 KitKat (API level 19) / Android 4.4W–4.4W.2 KitKat, with wearable extensions (API level 20) / Android 5.0–5.0.2 Lollipop (API level 21) / Android 5.1–5.1.1 Lollipop (API level 22) / Android 6.0+ Marshmallow (API level 23) The bug has been fixed with the release of Firefox for Android 79, the direct successor to version 68.11.0. The security researcher added that he reported the vulnerability to Mozilla. Then, that intent will be invoked by the Firefox application itself,” said Moberly, shedding some light on how the vulnerability could be exploited. “Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI.
However, that’s the moment when cybercriminals could make their move. In a write-up of the problem on his GitLab page, Moberly explained that vulnerable versions of the Firefox browser routinely send out SSDP discovery messages, looking for second-screen devices connected to the same local network that they can cast to (imagine a Chromecast, Roku, or similar gizmo).ĭevices connected on that local network can respond to these broadcasted messages, providing the location of an XML (eXtensible Markup Language) file containing their configuration details, which Firefox will then attempt to access. “It makes exploitation of this issue really easy,” he added. He went on to warn that successful exploitation of the bug could lead to a phishing attack on public Wi-Fi networks, by requesting personal user information or login credentials from all users connected to the network who were running unpatched versions of the browser. “This is a serious issue that allows to trigger any Android Intent on the same Wi-Fi network without any user interaction if you have a vulnerable version of Firefox for Android installed on your device,” said Stefanko. I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by /lbQA4qPehq I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
The bug, which resided in Firefox’s Simple Service Discovery Protocol (SSDP), was uncovered by security researcher Chris Moberly and affected Firefox for Android versions of 68.11.0 and below.ĮSET malware researcher Lukas Stefanko has tested a proof-of-concept (PoC) exploit that takes advantage of the security hole, running the PoC on three devices connected to the same Wi-Fi router.Įxploitation of LAN vulnerability found in Firefox for Android
#FIREFOX FOR ANDROID DOWNLOAD#
The vulnerability could be abused by black hats to force users to visit websites housing malicious content, which could then be used to execute phishing attacks or to download malware to their devices. Mozilla has patched a security flaw that could allow cybercriminals to hijack all vulnerable Firefox for Android browsers running on devices connected to the same Wi-Fi network.
#FIREFOX FOR ANDROID INSTALL#
Attackers could have exploited the flaw to steal victims’ login credentials or install malware on their devices
0 kommentar(er)
