Firefox vulnerability allowing for arbitrary code execution is fixed

A critical vulnerability in Firefox that allowed an attacker to remotely execute code if a user opened a malicious document or link has been patched, Mozilla announced Monday.

The bug presented possible attackers with an incredibly potent phishing tool for common attacks like ransomware.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,” according to a Cisco brief. “An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

The flaw received an 8.8 score on the Common Vulnerability Scoring System, a global standard run by the industry group FIRST. It affects Firefox browser versions 56, 57 and 58.0.0. Firefox version 58.0.1 fixes the problem.

Mozilla developer Johann Hofmann discovered the bug allowing unsanitized output in the browser UI can lead to arbitrary code execution.