Patch released to fix Firefox arbitrary code execution vulnerability

Mozilla Firefox released an update to patch its open-source web browser after developer Johann Hofmann detected a critical HTML flaw that could allow hackers to exploit the browser remotely. The vulnerability only affected the desktop version of Firefox, and not iOS, Android and Amazon Fire TV versions.

The vulnerability was the result of “insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,” according to a detailed advisory released by Cisco on Tuesday.

To infiltrate the system, the hacker would use either misleading language or instructions to convince the user to click on a link or open a file that seems legitimate. After the user follows instructions, the attacker gets admin privileges and can remotely corrupt the vulnerable software.

The critical HTML hijack vulnerability exploited Firefox’s Chrome User Interface design elements (no relation to Google Chrome) such as “menu bars, progress bars, window title bars, toolbars, or UI elements created by add-ons,” explains BleepingComputer.

Firefox 58.0.1 is the first update to the new Firefox Quantum browser, just after a week the browser was officially launched. Firefox users are advised to immediately update their browser and not open any emails or click on links that appear suspicious or are sent by unknown contacts. If there any doubts regarding the source of a link, file or email, it’s safer not to click, download or open.

When asked about its plans for 2018, Mozilla wants to expand into the mobile ecosystem by launching an improvement similar to Quantum and heavily focus on Focus, the iOS and Android Firefox version.

“Mobile will be huge for Mozilla in 2018 and we will see how much of that we want to include in Firefox, Focus or even other apps,” Barbara Bermes, product manager for Firefox Mobile told Neowin in an interview. “As it relates in particular to Focus, we want to be the trusted browser providing the most privacy by design and by default. The idea is to include smart defaults that address privacy concerns while not sacrificing performance or convenience.”



This is a Security Bloggers Network syndicated blog post authored by Luana Pascu. Read the original post at: HOTforSecurity