Mozilla plugs critical and easily exploitable flaw in Firefox

Firefox users would do well to upgrade to the browser’s latest release if they want to keep their computers safe from compromise.


Released on Monday, Firefox 58.0.1 contains one but very important security fix that plugs a vulnerability arising from insufficient sanitization of HTML fragments in chrome-privileged documents. (In this context, chrome is not the popular Google browser, but a component of Firefox.)

The vulnerability (CVE-2018-5124) is considered critical because a successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. And if the user has elevated privileges, the attacker could compromise the system completely.

Another reason for such a classification is that exploitation can be triggered with just a bit of clever social engineering.

“An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software,” Cisco explained in an advisory.

“To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a targeted user to open a crafted file.”

The flaw was found in Firefox versions 56 through 58 by Mozilla developer Johann Hofmann. Firefox for Android and Firefox 52 ESR are not affected.

Users and administrators are advised to apply the software update as soon as possible and, in general, to avoid following links or opening attachments contained in unsolicited (email) messages that come from unrecognized sources.

Don't miss