Mozilla Releases Urgent Patch for Windows Users Following Recently Exploited Chrome Zero-day
- С сайта: Zero-Day(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Zero-Day(cybersecuritynews.com)
Mozilla has released an emergency security update for its Firefox browser on Windows systems to address a critical vulnerability that could allow attackers to escape browser sandboxes and potentially gain control of affected systems.
The patch comes shortly after Google patched a similar zero-day vulnerability in Chrome that was being actively exploited in the wild.
According to the Mozilla Foundation Security advisory, the flaw involves an “incorrect handle” in Firefox’s IPC (Inter-Process Communication) code that could lead to sandbox escapes on Windows systems.
Mozilla researcher Andrew McCreight is credited with discovering the vulnerability after Firefox developers identified a pattern similar to the recently exploited Chrome vulnerability.
“Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code,” the advisory states.
“A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape”.
The vulnerability specifically affects Firefox running on Windows operating systems. Linux, macOS, and other operating systems are not vulnerable to this particular exploit.
Browser sandboxes are security mechanisms designed to contain potentially malicious code and prevent it from accessing sensitive system resources.
A sandbox escape vulnerability allows malicious code to break out of these restrictions, potentially giving attackers access to the underlying operating system.
The vulnerability involves Firefox’s IPC mechanism, which manages communication between different process components of the browser.
The flaw could allow a compromised child process to trick the parent process into returning a handle with elevated privileges, effectively bypassing the sandbox protection.
The summary of the vulnerability is given below:
Risk Factors Details Affected Products– Firefox versions prior to 136.0.4- Firefox ESR versions prior to 128.8.1- Firefox ESR versions prior to 115.21.1(Windows versions only)ImpactPotential system compromiseExploit Prerequisites– Windows operating system- Unpatched version of Firefox- Attacker ability to compromise a child processCVSS 3.1 ScoreHigh
Affected Versions and Patch Availability
Mozilla has released fixes for the vulnerability in the following browser versions:
The vulnerability has been classified as “critical” due to its potential impact and the fact that attackers were actively exploiting a similar vulnerability in Chrome.
While Mozilla has not confirmed whether the Firefox vulnerability was exploited in the wild, the advisory notes that the “original vulnerability was being exploited in the wild,” likely referring to the Chrome zero-day.
Windows users running Firefox should immediately update their browsers to the patched versions.
Automatic updates are typically enabled by default, but users can manually check for updates by clicking the menu button, selecting “Help,” and then “About Firefox.” The browser will automatically check for and install any available updates.
This incident highlights browser vendors’ ongoing security challenges and the importance of rapid response to zero-day vulnerabilities, especially when similar flaws exist across different browsers.
Quickly identifying and patching this vulnerability demonstrates the value of cross-browser security research and collaboration within the cybersecurity community.
#Chrome #Cyber_Security #Cyber_Security_News #Mozilla #Windows #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Mozilla Releases Urgent Patch for Windows Users Following Recently Exploited Chrome Zero-day
Author: Guru BaranMozilla has released an emergency security update for its Firefox browser on Windows systems to address a critical vulnerability that could allow attackers to escape browser sandboxes and potentially gain control of affected systems.
The patch comes shortly after Google patched a similar zero-day vulnerability in Chrome that was being actively exploited in the wild.
According to the Mozilla Foundation Security advisory, the flaw involves an “incorrect handle” in Firefox’s IPC (Inter-Process Communication) code that could lead to sandbox escapes on Windows systems.
Mozilla researcher Andrew McCreight is credited with discovering the vulnerability after Firefox developers identified a pattern similar to the recently exploited Chrome vulnerability.
“Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code,” the advisory states.
“A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape”.
The vulnerability specifically affects Firefox running on Windows operating systems. Linux, macOS, and other operating systems are not vulnerable to this particular exploit.
Browser sandboxes are security mechanisms designed to contain potentially malicious code and prevent it from accessing sensitive system resources.
A sandbox escape vulnerability allows malicious code to break out of these restrictions, potentially giving attackers access to the underlying operating system.
The vulnerability involves Firefox’s IPC mechanism, which manages communication between different process components of the browser.
The flaw could allow a compromised child process to trick the parent process into returning a handle with elevated privileges, effectively bypassing the sandbox protection.
The summary of the vulnerability is given below:
Risk Factors Details Affected Products– Firefox versions prior to 136.0.4- Firefox ESR versions prior to 128.8.1- Firefox ESR versions prior to 115.21.1(Windows versions only)ImpactPotential system compromiseExploit Prerequisites– Windows operating system- Unpatched version of Firefox- Attacker ability to compromise a child processCVSS 3.1 ScoreHigh
Affected Versions and Patch Availability
Mozilla has released fixes for the vulnerability in the following browser versions:
- Firefox 136.0.4
- Firefox ESR (Extended Support Release) 128.8.1
- Firefox ESR 115.21.1
The vulnerability has been classified as “critical” due to its potential impact and the fact that attackers were actively exploiting a similar vulnerability in Chrome.
While Mozilla has not confirmed whether the Firefox vulnerability was exploited in the wild, the advisory notes that the “original vulnerability was being exploited in the wild,” likely referring to the Chrome zero-day.
Windows users running Firefox should immediately update their browsers to the patched versions.
Automatic updates are typically enabled by default, but users can manually check for updates by clicking the menu button, selecting “Help,” and then “About Firefox.” The browser will automatically check for and install any available updates.
This incident highlights browser vendors’ ongoing security challenges and the importance of rapid response to zero-day vulnerabilities, especially when similar flaws exist across different browsers.
Quickly identifying and patching this vulnerability demonstrates the value of cross-browser security research and collaboration within the cybersecurity community.
#Chrome #Cyber_Security #Cyber_Security_News #Mozilla #Windows #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
