Exploit could allow hackers to run code thanks to “insufficient sanitization” of HTML fragments.
Mozilla has fixed a critical flaw in Firefox that could allow a remote attacker to execute arbitrary code on a targeted device.
An attacker could exploit the vulnerability by persuading a user to access a link or file that then submits malicious input to the affected software, according to a security advisory from Cisco.
A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.
According to Cisco, the vulnerability occurs due to “insufficient sanitization” of HTML fragments in chrome-privileged documents by the affected software.
Mozilla describes chrome, which here does not mean Google Chrome, as any visible aspect of a browser aside from the webpages themselves.
To exploit the flaw, hackers might use misleading language or instructions to persuade a targeted user to open a specially-crafted file.
Mozilla has released an update, Firefox 58.0.1, which fixes the flaw. Mozilla said Firefox for Android and Firefox 52 ESR are not affected by the vulnerability.
Cisco said administrators should apply the appropriate software updates, and users should not open email messages from suspicious or unrecognized sources. And users with admin rights should use an account without those privileges when browsing the internet.
“If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them,” the advisory said.