Mozilla has officially launched Firefox 136.0.4, a vital update aimed at patching a severe security vulnerability that threatens Windows users. This critical flaw, identified as CVE-2025-2857, enables attackers to potentially escape the web browser's sandbox, posing a significant risk to user security. The vulnerability was reported by Mozilla developer Andrew McCreight, highlighting the importance of regular updates to maintain browser security.
The vulnerability, categorized under the identifier CVE-2025-2857, is attributed to an incorrect handle that could lead to sandbox escapes. This flaw impacts both the latest standard releases of Firefox and the Extended Support Release (ESR) versions, which are specifically designed for organizations that require extended support for mass deployments. Mozilla has addressed this security issue not only in Firefox 136.0.4 but also in Firefox ESR versions 115.21.1 and 128.8.1.
While Mozilla refrained from disclosing technical specifics regarding CVE-2025-2857, it indicated that the vulnerability shares similarities with a recently addressed zero-day exploit in Google Chrome. This Chrome vulnerability was also exploited in real-world attacks, underscoring the urgency of the fix.
In a Thursday advisory, Mozilla explained that after identifying a sandbox escape in CVE-2025-2783, various Firefox developers discovered a comparable pattern within the Inter-Process Communication (IPC) code. They noted that attackers could manipulate the parent process into leaking handles into unprivileged child processes, effectively leading to a sandbox escape. Mozilla emphasized that the original vulnerability was already being exploited in the wild, solely affecting Firefox on Windows, while other operating systems remain unaffected.
In related news, Kaspersky's Boris Larin and Igor Kuznetsov reported that the Chrome zero-day, CVE-2025-2783, was actively exploited to bypass Chrome's sandbox protections. This exploit was part of a cyber-espionage campaign named Operation ForumTroll, which targeted Russian government organizations and journalists from unnamed Russian media outlets. The researchers expressed their astonishment that the vulnerability allowed attackers to bypass robust sandbox protections without engaging in overtly malicious actions.
The malicious emails utilized in this campaign contained invitations purporting to be from the organizers of a scientific forum called 'Primakov Readings', targeting various media outlets, educational institutions, and government organizations across Russia.
Earlier this October, Mozilla also addressed a different zero-day vulnerability, termed CVE-2024-9680, linked to Firefox's animation timeline feature. This exploit was associated with the Russian-based RomCom cybercrime group, enabling attackers to execute code within the Firefox sandbox. This vulnerability was notably chained with a Windows privilege escalation zero-day, CVE-2024-49039, allowing Russian hackers to execute code beyond the Firefox environment. Victims fell prey to a tactic where they were misled into visiting an attacker-controlled website, which subsequently downloaded and executed the RomCom backdoor on their systems.
As cybersecurity threats continue to evolve, it is crucial for users to keep their browsers updated to the latest versions to safeguard against these vulnerabilities. Mozilla's prompt response in releasing Firefox 136.0.4 demonstrates its commitment to user security and highlights the importance of vigilance in the face of emerging cyber threats.