Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser.
The update comes just a week after the company rolled out its new Firefox Quantum browser, a.k.a Firefox 58, with some new features like improved graphics engine and performance optimizations and patches for more than 30 vulnerabilities.
According to a security advisory published by Cisco, Firefox 58.0.1 addresses an ‘arbitrary code execution’ flaw that originates due to ‘insufficient sanitization’ of HTML fragments in chrome-privileged documents (browser UI).
Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim’s computer just by tricking them into accessing a link or ‘opening a file that submits malicious input to the affected software.’
“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely,” the advisory states.
This could allow an attacker to install programs, create new accounts with full user rights, and view, change or delete data.
However, if the application has been configured to have fewer user rights on the system, the exploitation of this vulnerability could have less impact on the user.
Affected web browser versions include Firefox 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The vulnerability has been addressed in Firefox 58.0.1, and you can download from the company’s official website.
The issue, which was discovered by Mozilla developer Johann Hofmann, does not affect Firefox browser for Android and Firefox 52 ESR.
Users are recommended to apply the software updates before hackers exploit this issue, and avoid opening links provided in emails or messages if they appear from suspicious or unrecognized sources.
Administrators are also advised to use an unprivileged account when browsing the Internet and monitor critical systems.
- Hard-Coded Password in Cisco Software Lets Attackers Take Over Linux Servers
- Microsoft Issues Emergency Patch For Under-Attack IE Zero Day
- Microsoft Releases Patches for 60 Flaws—Two Under Active Attack
- Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly
- Microsoft Issues Software Updates for 17 Critical Vulnerabilities