Add mfsa for PDF reader

2015-08-06 15:13:26 -05:00 · 2015-08-06 15:13:26 -05:00 · ded022cb1f
--- a/announce/2015/mfsa2015-78.md
+++ b/announce/2015/mfsa2015-78.md
@ -0,0 +1,33 @@
+---
+announced: August 6, 2015
+fixed_in:
+- Firefox 39.0.3
+- Firefox ESR 38.1.1
+impact: Critical
+reporter: Cody Crews
+title: Same origin violation and local file stealing via PDF reader
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Cody Crews</strong> reported on a way to
+violate the same origin policy and inject script into a non-privileged part
+of the built-in PDF Viewer. This would allow an attacker to read and steal
+sensitive local files on the victim's computer.
+</p>
+
+<p>Mozilla has received reports that an exploit based on this vulnerability
+has been found in the wild.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1178058">
+       It's possible to read local files or perform privilege escalation by
+using a native setter</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495"
+class="ex-ref">CVE-2015-4495</a>)</li>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1179262">
+       Remove PlayPreview registration from PDF Viewer</a></li>
+</ul>