Mozilla is asking all Firefox users to upgrade immediately to version 39.0.3. Anyone on the Firefox Extended Support release via their school or business should upgrade to version 38.1.1.
The security issue only affects PCs since the flaw relies on an interaction between Firefox’s PDF Viewer and other parts of the browser. Firefox for Android does not have the PDF Viewer and therefore not vulnerable, according to a blog post by Mozilla’s security lead, Daniel Veditz.
Mozilla first became aware of the flaw after a Firefox user noticed that an ad embedded on a Russian news site was using an exploit to search for sensitive files. The malware would then upload the sensitive files to a server in the Ukraine. This all appears to happen in the background with the user none the wiser. The malware also leaves no trace it was ever on your machine.
The specific exploit found in the wild was only targeting Windows and Linux PCs; however, Veditz warns that Mac users would be vulnerable if the malware had been crafted differently.
On Windows, the malware was looking for some very specific data, including configuration files for several different FTP upload programs including Filezilla, the subversion version control system, S3 Browser, and the PSI Plus and Pidgin chat clients that are popular choices for encrypted, off-the-record messaging.
The impact on you at home: If you use any of the programs mentioned above, Mozilla advises you to change your passwords and any keys associated with them. If not, you should still update your browser as soon as possible in case other, as-yet-unknown exploits are looking for sensitive files you do have on your system.
Firefox will update automatically in time, but to do it manually right now, click on the “hamburger” settings menu on the upper right hand side and select the question mark icon at the bottom of the drop-down window. Next, select About Firefox and the browser will check for updates. This is also the screen where you can see your Firefox version number. If you are running 39.0.3 you’re good to go.