Mozilla released an update to address critical security flaws affecting Windows Firefox browsers a few days after Google patched a similar flaw in Chrome that was active as zero-day.
Security vulnerability, CVE-2025-2857, is described as a case with the wrong handle that could lead to sandbox escape.
“Following the recent Chrome Sandbox Escape (CVE-2025-2783), various Firefox developers have identified similar patterns in their IPCs [inter-process communication] Code,” Mozilla said in advice.
“A compromised child process can lead to an unintentionally returning a strong handle, leading to a sandbox escape.”
The disadvantages affecting Firefox and Firefox ESR are addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no evidence that CVE-2025-2857 was misused in the wild.
This development occurs when Google releases Chrome version 134.0.6998.177/.178 for Windows to fix CVE-2025-2783.
Kaspersky, which detected activity in mid-March 2025, said the infection occurred after an unspecified victim clicked on a specially created link in a phishing email and opened an attacker-controlled website using Chrome.
CVE-2025-2783 is said to have been chained together with another unknown exploit in a web browser to break out of sandbox scope and achieve remote code execution. That said, patching a bug effectively blocks the entire attack chain.
The US Cybersecurity and Infrastructure Security Agency (CISA) has since added flaws to its known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the necessary mitigations by April 17, 2025.
Users are advised to update their browser instances to the latest version to protect against potential risks.
Source link
