On 29th of January Mozilla developer, Johann Hofmann reported that unsanitized output in the browser UI could lead to arbitrary code execution. On January 30th, Mozilla has released a security update to address a vulnerability (CVE-2018-5124) in Firefox. Exploitation of this vulnerability may allow an attacker to take control of an affected system.
Read an article about the flaw here.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. It means that the attacker can use his own code on user’s system and if the user is using Mozilla Firefox with elevated privileges, for example, Administrator account, this vulnerability can be used to affect and compromise the whole system by executing code with Administrator rights.
What should you do to protect yourself?
We strongly recommend updating both enterprise and personal clients to Firefox 58.0.1 to maintain the security of your device. An update which has been released on 29th of January fixes the insufficient sanitization of specific HTML fragments.
As always it is advised to stay up to date if you are using specific software that has patches released and in this case – update Mozilla Firefox to the latest version as soon as possible. This vulnerability affects a few previous Mozilla Firefox versions too, so whichever version you are using, it is advised to update it.
This flaw does not impact firefox for Android and Firefox 52 ESR. Mozilla fixed the flaw by sanitizing the code executed by its chrome UI component. For further information, please visit Mozilla Security Advisory for Firefox 58.0.1.