UPDATE–Mozilla has released a patch for a vulnerability in Firefox that was discovered when a user found it being actively exploited in the wild.

The bug affects Firefox’s PDF viewer and Mozilla officials said that the exploit being used by attackers right now looked for specific files on a targeted machine and uploads them to a remote server. It does not allow for remote code execution, though. Mozilla said the exploit goes after Windows, Linux, and Mac machines.

“The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients,” Daniel Veditz of Mozilla said in a blog post

“On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.”

A Firefox user discovered the exploit being served by a malicious ad on The Moscow Times web site. The exploit then looks for the sensitive files on the victim’s machine and then uploads them to a server that Mozilla officials say appears to be in Ukraine.

“However, this exploit may exist on other websites. We encourage all users to keep their software up-to-date by regularly applying security updates,” Veditz said in an email statement.

Mozilla has patched the vulnerability in Firefox 39.0.3. The bug doesn’t affect Firefox on Android or other products that don’t include the PDF viewer. 

This story was updated on Aug. 11 to add information from Mozilla about the identity of the site serving the exploit.

Categories: Vulnerabilities, Web Security