Mozilla Fixes Severe Flaw in Firefox UI That Leads to Remote Code Execution

Mozilla has released Firefox 58.0.1 to fix a security issue that was hiding in the browser's UI code and would have allowed an attacker to run code on the user's computer, allowing a quick and easy path to delivering malware or even taking over the entire PC.

The flaw, tracked under the identifier CVE-2018-5124, was discovered by Berlin-based Mozilla engineer Johann Hofmann. The engineer says the issue resides in the Firefox "Chrome" component.

This confusingly-named component has been available in Firefox even before Google launched its Chrome browser, and is responsible for "the set of user interface elements of the application window that are outside the window's content area."

Firefox "chrome" components include the likes of menu bars, progress bars, window title bars, toolbars, or UI elements created by add-ons.

Main issue: Firefox runs unsanitized HTML code

These components aren't separated from the code that runs in web pages. Hoffman says that a malicious website could run code meant for Firefox UI elements.

The attacker could hide unsanitized HTML inside this code that breaks the execution chain away from the Firefox chrome UI component and runs commands on the underlying browser/computer.

The code runs with the current user's privileges. If the user is using an admin account, then the code can run SYSTEM-level commands.

Exploit kit operators expected to jump on the vulnerability

Because the execution chain relies on running untrusted code, the vulnerability is extremely dangerous, as this code could be hidden inside an iframe, loaded off-screen and without the user's knowledge. Because of this, the flaw has received a CVSS severity score of 8.8 out of 10.

Exploit kit operators will surely implement CVE-2018-5124 in their arsenal within the following days, as it's a quick and easy way to secretly install malware on users' computers.

Users are strongly advised to update. Firefox 56.x, 57.x., and 58.0.0 are affected. Firefox for Android and Firefox 52 ESR are not impacted by this flaw. Mozilla fixed the flaw by sanitizing the code executed by its chrome UI component.