[SingCERT] Alert on Firefox Browser Critical Vulnerability (CVE-2018-5124)

Published on Friday, 02 February 2018 21:53

Background

On 29 January 2018, Mozilla Foundation announced a critical vulnerability (CVE-2018-5124) found in its Firefox browser.

The vulnerability is due to insufficient sanitisation of HTML fragments in Chrome-privileged documents. The exploit takes advantage of Firefox’s Chrome User Interface (UI) components such as menu bars, progress bars, window title bars, toolbars, etc., allowing potentially malicious codes to make their way to the browser and run commands there or on the host computer. This vulnerability could be exploited through deceiving a user into accessing a link or file, thereby allowing attackers to execute arbitrary code on the user's system.

Affected Versions

Firefox version 56.x, 57.x and 58.0.0

Impact

Attackers can craft content that, when loaded by users who unknowingly access a link or file, allows remote arbitrary code execution which could lead to malicious activities.

Recommendations
  • Mozilla has released an updated version, Firefox 58.0.1, to address the vulnerability.
  • Users are reminded not to click on links or open attachments from unsolicited emails or suspicious sources.
References

https://securitytracker.com/id/1040308

https://www.bleepingcomputer.com/news/security/mozilla-fixes-severe-flaw-in-firefox-ui-that-leads-to-remote-code-execution/