Mozilla Fixes Severe Flaw in Firefox UI That Leads to Remote Code Execution

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Mozilla has released Firefox 58.0.1 to fix a security issue that was hiding in the browser's UI code and would have allowed an attacker to run code on the user's computer, allowing a quick and easy path to delivering malware or even taking over the entire PC.

The flaw, tracked under the identifier CVE-2018-5124, was discovered by Berlin-based Mozilla engineer Johann Hofmann. The engineer says the issue resides in the Firefox "Chrome" component.

This confusingly-named component has been available in Firefox even before Google launched its Chrome browser, and is responsible for "the set of user interface elements of the application window that are outside the window's content area."

Firefox "chrome" components include the likes of menu bars, progress bars, window title bars, toolbars, or UI elements created by add-ons.

Main issue: Firefox runs unsanitized HTML code
These components aren't separated from the code that runs in web pages. Hoffman says that a malicious website could run code meant for Firefox UI elements.

The attacker could hide unsanitized HTML inside this code that breaks the execution chain away from the Firefox chrome UI component and runs commands on the underlying browser/computer.

The code runs with the current user's privileges. If the user is using an admin account, then the code can run SYSTEM-level commands.
Click to expand...

Exploit kit operators expected to jump on the vulnerability

Because the execution chain relies on running untrusted code, the vulnerability is extremely dangerous, as this code could be hidden inside an iframe, loaded off-screen and without the user's knowledge. Because of this, the flaw has received a CVSS severity score of 8.8 out of 10.

Exploit kit operators will surely implement CVE-2018-5124 in their arsenal within the following days, as it's a quick and easy way to secretly install malware on users' computers.

Users are strongly advised to update. Firefox 56.x, 57.x., and 58.0.0 are affected. Firefox for Android and Firefox 52 ESR are not impacted by this flaw. Mozilla fixed the flaw by sanitizing the code executed by its chrome UI component.
Click to expand...
 
  • Like
Reactions: Stopspying, Viking, CoherentCrayon and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Thanks
Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks
Replies
1
Views
1,509
News Archive
nicolaasjan
nicolaasjan
Gandalf_The_Grey
    • +Reputation
    • Like
ASUS routers vulnerable to critical remote code execution flaws (patched)
Replies
1
Views
1,168
News Archive
codswollip
codswollip
[correlate]
    • Like
    • +Reputation
libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks
Replies
0
Views
654
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top