Welcome
About
News
Anonymous Reporting
Tools
MCA Chatter
Library
V-ID Terminal
Support
My Account

News

Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019
 
 
 

Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

 
January 31st 2018
Versions 56 through 58 need patching, pronto
Mozilla has patched a nasty security bug in Firefox, affecting versions 56, 57 and 58, and their point updates.

The CVSS-8.8-rated flaw means that if an attacker can get a user to open a malicious document or link, remote code execution becomes a possibility – allowing spyware, ransomware and other nasties to be installed and run.

An advisory from Cisco explains: “The vulnerability is due to insufficient sanitisation of HTML fragments in chrome-privileged documents by the affected software … A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

That's not chrome as in Google Chrome, by the way, that's chrome as in a confusingly named component of the Firefox engine.

Affected versions are: 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The bug is not present in Firefox for Android or Firefox 52 ESR. The fix is in Firefox 58.0.1, which you can download here.

In Firefox's bug tracker, programmer Kris Maglione explained that the fix sanitizes HTML fragments.

Maglione noted that the problem arises because it's impossible to block inline scripts: “The risk of XSS in chrome documents is much higher than it is in web content. Unfortunately, we currently rely on so much inline JS in our static XUL documents that that's not really feasible in the short term.”

The knock-on of that is that an issue has been filed for the future Firefox 60 channel, with developer J Ryan Stinnet explaining: “Once DevTools upgrades to React 16, it should be possible for the Browser component to move away from `innerHTML`. It's currently used only because React before 16 doesn't allow non-standard attributes.”

Such changes would inoculate Firefox 60 against a similar bug in future. 

Source


Keywords