Today, Mozilla has released an important update (version 58.0.1) for its Firefox web browser to patch a critical vulnerability. The exploit is found in Firefox’s user interface code and it could allow remote attackers to execute malicious code on computers running an affected version of the browser.
Mozilla has made major design and code changes in Firefox version 57, otherwise known as Firefox Quantum. These changes made Firefox faster, and less memory hungry, while bringing support for multiprocess, improved graphics engine and webpage renderer and more. However, the change also introduced a flaw that is hidden in the browser’s user interface code that made it possible to for an attacker to run unsanitized HTML on a user’s computer.
The exploit took advantage of Firefox’s Chrome UI component, which was not properly sandboxed, allowing potentially malicious code to make its way over to the browser itself and run commands there or on the host computer. The “Chrome UI” has been available in Firefox even before Google launched its Chrome browser, and is responsible for “the set of user interface elements of the application window that are outside the window’s content area“. The “Chrome UI” components include the likes of menu bars, progress bars, window title bars, toolbars, or UI elements created by add-ons.
According to a security advisory published by Cisco, Firefox 58.0.1 addresses an “arbitrary code execution” flaw that originates due to “insufficient sanitization” of HTML fragments in chrome-privileged documents (browser UI). Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim’s computer just by tricking them into accessing a link or “opening a file that submits malicious input to the affected software“.
A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.
This could allow an attacker to install programs, create new accounts with full user rights, and view, change or delete data.
Any code run this way was restricted by a user’s system privileges, which means damage was somewhat limited on regular accounts. However, if you were using an admin-level account, it is possible that any problematic code could have affected the entire computer without the user ever knowing. While the risk is somewhat mitigated on GNU/Linux based systems where users have limited permissions, it is a serious risk for Windows users as most users accounts have admin privileges.
The security hole was present in the past three major iterations of Firefox, versions 56.x, 57.x, and 58.0. Fortunately, Firefox for Android and Firefox 52 ESR are not impacted by this flaw. Mozilla fixed the flaw by sanitizing the code executed by its chrome UI component and users are advised to update to Firefox 58.0.1. You can download the latest version directly from the company’s official website. If you are running GNU/Linux, the update will soon be available through your distro’s package manager. So, if you have not updated your browser, you should really go do that now.
