Firefox 58.0.1: Mozilla releases fix for critical HTML hijack flaw

Exploit could allow hackers to run code thanks to "insufficient sanitization" of HTML fragments.
Written by Steve Ranger, Global News Director

Mozilla has fixed a critical flaw in Firefox that could allow a remote attacker to execute arbitrary code on a targeted device.

An attacker could exploit the vulnerability by persuading a user to access a link or file that then submits malicious input to the affected software, according to a security advisory from Cisco.

A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.

According to Cisco, the vulnerability occurs due to "insufficient sanitization" of HTML fragments in chrome-privileged documents by the affected software.

Mozilla describes chrome, which here does not mean Google Chrome, as any visible aspect of a browser aside from the webpages themselves.

Download now: Incident response policy

To exploit the flaw, hackers might use misleading language or instructions to persuade a targeted user to open a specially-crafted file.

Mozilla has released an update, Firefox 58.0.1, which fixes the flaw. Mozilla said Firefox for Android and Firefox 52 ESR are not affected by the vulnerability.

Cisco said administrators should apply the appropriate software updates, and users should not open email messages from suspicious or unrecognized sources. And users with admin rights should use an account without those privileges when browsing the internet.

"If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them," the advisory said.

Previous and related coverage

Think Firefox Quantum is fast? Try Firefox 58, out this week, says Mozilla

The incoming Firefox 58 brings faster page loads thanks to a new compiler and streaming compilation, reports Mozilla.

Mozilla: Firefox 57 is so fast we're calling it Firefox Quantum

Firefox Quantum will test whether Mozilla's efforts to modernize its browser can pay off.

Why is Firefox Quantum so fast? Mozilla reveals a tweak that turbo-charged its browser

Mozilla's latest version of its Firefox web browser gets a performance boost from a privacy feature.

Firefox Quantum: 170 million installs so far, as more Chrome users jump ship

Firefox sees a bump in installs from Chrome users after the big Quantum overhaul.

3 awesome features coming to Firefox that you can get right now (CNET)

The upcoming Firefox 59 will help you stop sites from asking for permission to send you notifications and know your location, but you can stop these right now in the current build of Firefox with a little digging.

How to manage Firefox Quantum site permissions (TechRepublic)

Jack Wallen walks you through the process of managing both default and site permissions with Firefox Quantum, so you can enjoy a more secure and reliable browsing experience.

Editorial standards