Search the Community

Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. Tracked as CVE-2025-2857, this flaw is described as an "incorrect handle could lead to sandbox escapes" and was reported by Mozilla developer Andrew McCreight. The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1. While Mozilla didn't share technical details regarding CVE-2025-2857, it said the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google earlier this week. "Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape," Mozilla said in a Thursday advisory. "The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected." Chrome zero-day exploited to target Russia Kaspersky's Boris Larin and Igor Kuznetsov, who discovered and reported CVE-2025-2783 to Google, said on Tuesday that the zero-day was exploited in the wild to bypass Chrome sandbox protections and infect targets with sophisticated malware. They spotted CVE-2025-2783 exploits deployed in a cyber-espionage campaign dubbed Operation ForumTroll, targeting Russian government organizations and journalists at unnamed Russian media outlets. "The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist," they said. "The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, 'Primakov Readings,' targeting media outlets, educational institutions and government organizations in Russia." In October, Mozilla also patched a zero-day vulnerability (CVE-2024-9680) in Firefox's animation timeline feature exploited by the Russian-based RomCom cybercrime group that let the attackers gain code execution in the web browser's sandbox. The flaw was chained with a Windows privilege escalation zero-day (CVE-2024-49039) that allowed the Russian hackers to execute code outside the Firefox sandbox. Their victims were tricked into visiting an attacker-controlled website that downloaded and executed the RomCom backdoor on their systems. Months earlier, it fixed two Firefox zero-day vulnerabilities one day after they were exploited at the Pwn2Own Vancouver 2024 hacking competition. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874 RIP Matrix | Farewell my friend

Microsoft closes Secure Boot loophole, securing Windows from firmware attacks. Microsoft has intensified its Windows 11 campaign by using aggressive tactics, including full-screen multipage popup ads, to urge Windows 10 users to upgrade before the operating system's imminent death, slated for October 14, 2025. However, Windows 10 continues to dominate the market share with a staggering 62.73%, per StatCounter's December 2024 report. User reluctance to upgrade to Windows 11 can partly be attributed to Microsoft's stringent operating system requirements. These requirements limit the operating system's accessibility to unsupported hardware missing salient features like Secure Boot and TPM. While these security features are designed to keep the operating system secure, a vulnerability (CVE-2024-7344) has been accessible to bad actors for over seven months, making Windows 11 susceptible to malicious attacks. However, Microsoft finally patched the security threat earlier this week. For context, the vulnerability allowed hackers to gain unauthorized access to a device and run malicious attacks during the bootup process. As you may know, Secure Boot is one of the stringent system requirements for running Windows 11. The security feature prevents malicious firmware from running when a device is booting. Hackers often deploy attacks before a device starts because it allows them to hide the ploys in plain sight before Windows loads, making it difficult to identify them. Moreover, it makes the malware less susceptible to defense mechanisms that ship with the operating system. UEFI security: Win some, lose some As highlighted by ArsTechnica, Martin Smolár, a security researcher at ESET, made a shocking discovery last year. The researcher noticed that a digitally signed app bypassed Microsoft's strict manual review process for third-party UEFI apps. For context, Smolár made this deduction when SysReturn, a real-time system recovery software from Howyar Technologies, bypassed the stringent process. The researcher further disclosed that the app was buried under an XOR-encoded UEFI app called reloader.efi. The manual review process leverages UEFI's LoadImage and StartImage for the Secure Boot process. However, reloader.efi used a custom PE loader (Portable Executable File Format), bypassing Microsoft's review process and overlooking critical security checks. Perhaps more concerning, reloader.efi wasn't unique to Howyar Technologies' system recovery software. It was also consistent across other apps from six different suppliers, including: Howyar SysReturn before version 10.2.023_20240919 Greenware GreenGuard before version 10.2.023-20240927 Radix SmartRecovery before version 11.2.023-20240927 Sanfong EZ-back System before version 10.3.024-20241127 WASAY eRecoveryRX before version 8.4.022-20241127 CES NeoImpact before version 10.1.024-20241127 SignalComputer HDD King before version 10.3.021-20241127 While Microsoft has since patched the vulnerability with significant security issues, it allowed hackers to deploy attacks beyond devices with malicious software installed. They could easily install the malicious software because of privileged admin control over susceptible Windows PCs as they'd use the digital signature in the operating system to install the malware during the start process. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ RIP Matrix | Farewell my friend

Microsoft has issued a second security update for its browser in the Stable Channel. Following the update from May 2, Microsoft pushed version 124.0.2478.97 to all users to resolve two security vulnerabilities exploited in the wild. According to the description on the CVE website, CVE-2024-4671, the vulnerability allows remote attackers to exploit heap corruption with a specially crafted HTML page. Google has reported that the exploit "exists in the wild" (in other words, it is already used for malicious intents), so be sure to install the latest security updates as soon as possible. As for the second one, CVE-2024-30055 is a low-severity spoofing vulnerability that is exclusive to Microsoft Edge. Exploiting it requires the user to click a special link, after which the attacker could get "limited information" from the victim's browser. Patches for CVE-2024-4671 and 2024-30055 are now available in the Stable Channel and Extended Stable Channel. It is a special release option made for enterprise customers who want to get fewer Microsoft Edge updates. The company ships new Edge versions in the Extended Stable Channel every 8 weeks unlike the "regular" Stable Channel with its 4-week release cycle. The idea behind Microsoft Edge Extended Stable Channel is to give enterprise customers more time to adopt the latest changes and features in the browser. Source

If you are still using a PC with an NVIDIA GeForce GPU that uses the Kepler-based platform, you will need to download a new set of drivers right now. They contain a security update that the company says is made to fix a number of "issues that may lead to multiple security impacts." The new 474.64 WHQL drivers are specifically for the following desktop NVIDIA GPUs: You can find a lot more information about this update on NVIDIA's Security Bulletin page. The page lists the several CVE-labeled issues that the new security driver is supposed to fix. They are labeled in order of the highest to the lowest base core. The one with the highest base score, at 8.2 (out of 10) is CVE‑2023‑31027. NVIDIA has the details of this specific issue: The Release Notes for this new driver can be found here. NVIDIA plans to continue releasing security updates for its desktop Kepler GPUs until September 2024. Source

Mozilla has just released a security update for its Firefox web browser that patches a critical security issue in all supported versions of the web browser. The update is available for Firefox and Firefox ESR for desktop operating system, for Firefox Focus and for Firefox for Android. The desktop version of Firefox is updated to version 118.0.1 to address the issue. Firefox ESR is updated to 115.3..1, and the two Android-based browsers are updated to version 118.1.0. The security issue is the same that Google addressed in Chromium and Google Chrome yesterday. CVE-2023-5217: Heap buffer overflow in libvpx, is a critical security issue in libvpx. Libvpx is a software video codec library developed by Google and the Alliance for Open Media. The free tool is open source and widely used in web browsers. Android users need to wait until the new version is pushed to their devices via Google Play. Source

Google released an emergency security update for its Chrome web browser that addresses a critical security issue that is exploited in the wild. Chrome users are encouraged to update the stable version of the web browser to the new version immediately to protect the browser against potential attacks. This is done easily on desktop systems: just load chrome://settings/help in the browser's address bar and wait for Chrome to find and download the security update. The page displays the installed version as well, which should be the following after the installation of the update: Chrome on Linux or Mac systems: 116.0.5845.187 Chrome on Windows devices: 116.0.5845.187 or 116.0.5845.188 Chrome Extended Stable for Mac: 116.0.5845.187 Chrome Extended Stable for Windows: 116.0.5845.188 Google has not yet released the security update for Android Stable, only for Android Early Stable. The critical security issue Google provides information on the critical security issue in Chrome on its official Chrome Releases blog. The issue, a heap buffer overflow vulnerability in WebP, was reported to Google by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto?s Munk School on September 6, 2023. WebP is an image format that "provides superior lossless and lossy compression for images on the web" according to Google. Google notes further that WebP images are on average 26% smaller in size compared to PNG images, and between 25% and 34% smaller than JPEG images. WebP is a common image format on the Internet. While Google offers no additional details on the vulnerability, it does warn users that the issue is exploited in the wild already. It is possible that the issue could be exploited by merely opening a website with specially crafted WebP images in Chrome is enough, but that is speculation at this point. The security issue, CVE-2023-4863, is the fourth 0-day vulnerability that Google patched in Google Chrome in 2023. The previously fixed 0-day security issues were: CVE-2023-2033 – Type Confusion in V8 (Chrome 112) CVE-2023-2136 – Integer overflow in the Skia graphics library (Chrome 112) CVE-2023-3079 – Type Confusion in V8 (Chrome 114) Google Chrome users should update the web browser immediately to patch the issue and protect the web browser against exploits. It is unclear if other Chromium-based browsers are also affected by the issue, but it seems likely. Watch out for security update notifications for Microsoft Edge, Brave, Vivaldi or Opera, if these browsers are used. Source

iOS 17 may be the newest software for Apple's devices, but millions of users have an iPhone or iPad that is not compatible with the latest iteration of the operating system. Apple has released iOS 16.7.1 and iPadOS 16.7.1 to patch some critical vulnerabilities on older iPhone and iPad devices. Apple patches an actively exploited threat in iOS 16 You may be aware that Apple released the iOS 17.0.3 update last week to fix overheating issues on iPhone 15 and older models. The update shipped with two important security fixes. The latest update for iOS 16 includes patches for the same issues. The first of the 2 bugs has been tracked under CVE-2023-42824. This is a kernel level security issue that a local attacker can exploit to gain elevated privileges to the iPhone. Of course to do that, they will need physical access to the device. Apple says it was able to patch the security flaw by improving some checks. The Cupertino company has confirmed that it is aware that the vulnerability may have been actively exploited by hackers on versions of iOS older than iOS 16.6. The other security issue is tracked as CVE-2023-5217. Per the release notes that the company has published on its support portal, this bug is related to WebRTC, and it could allow a buffer overflow to lead to arbitrary code execution. Apple says it addressed the vulnerability by updating libvpx to 1.13.1. The iOS 16.7.1 update is available for the iPhone 8, iPhone 8 Plus, iPhone X and later. iPadOS 16.7.1 is available for iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad Mini 5th generation and later. The build number for the update is 20H30. The security patch is not exclusive to older device models. If your iPhone or iPad is eligible for the iOS 17 or iPadOS 16 upgrade, but you have chosen to stick with iOS 16, you should install the new patch as soon as possible in order to protect your device. To install the update, head to the Settings app > General > Software Update. Interested in learning what's new in iOS 17? Check out the top features in it. And for those with a tablet, we have an article to highlight the best features in iPadOS 17. I'm not sure whether delaying security updates for older devices is a good idea. Sure it may have only arrived a week later than the iOS 17.0.3 patch, but considering the fact that one of the 2 vulnerabilities has been exploited by attackers, I feel that Apple should have acted more responsibly by patching the flaws sooner. It is not clear whether the company will release a similar security patch for older versions of iOS, for context the last security update for iOS 15 was released a month ago. Apple may be renowned for long term OS updates, but Google plans to claim the crown from its rival, by supporting its Pixel phones for up to 7 years of OS updates. It is a bold commitment, and only time will answer if the Mountain View company will fulfill its promise. Source

A Google Drive security update will break some of your shared links An upcoming security update for Google Drive will increase the security of your shared documents but likely break many of your shared links. Yesterday, Google began emailing Google Workspace admins about a new security update for Google Drive rolling out on September 13th, 2021, to make file sharing more secure. "We’re releasing a security update which will apply to some Drive files. This will make Google Drive files more secure by updating their links and may lead to some new file access requests," explained Google in a new blog post. "While we recommend that you apply the update, Google Workspace admins can choose how this update is applied in your organization." When the security update is applied, it will add a resource key to Google Drive sharing URLs, as shown below. An example shared URL with resource key: https://drive.google.com/file/d/0B1v_CzospBBbSBRIBk1hZBdpcDB/vieA?usp=sharing&resourcekey=0-nianCdaCdmShrKSOAmcIlA. If a user has not previously viewed the file or been given direct access, they will need to use this resource key to access the file. This update will cause any Google Drive links that you previously shared on websites, social media, or elsewhere to no longer work as they will not contain the required resource key. If you wish to continue publicly sharing your Google Drive documents, you will need to update your posts with the new links that contain the resource key. Feature rolling out over the next few months Google is rolling out the Google Drive security update over the next few months in three phases to give Google Workspace admins enough time to prepare. During Phase 1, which runs from now until July 23rd, 2021, admins can use the Google Alert Center to view an alert about this update with a list of files or folders that may be affected by the update. They can then go to Apps > Google Workspace > Drive and Docs, click Sharing settings, and then Security update for files, as shown below, to configure how they want to apply the update. Google Drive security update settings After clicking on Secure update for files, you will be prompted to select one of the following settings: Apply the security update with no option for users to remove it—The default for EDU, this option applies the update to all impacted files in your organization. Apply the security update, but users can remove it for specific files—The default for non-EDU, this option applies the update to all impacted files in your organization. Remove security update (not recommended)—Links to your files remain the same. There’s no option to remove the security update from folders. In Phase 2, which is from July 26 to August 25, 2021, Google Drive notifies affected users of the update and any affected items that they own or manage. If an admin permitted them, they can now decide to remove the update from those shared files. Finally, in Phase 3, which begins September 13, 2021, the update will have finished rolling out based on the settings the admins and their users have configured. A Google Drive security update will break some of your shared links

The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance. The set includes an SQL injection on WP_Query, a blind SQL injection via the WP_Meta_Query, an XSS attack via the post slugs, and an admin object injection. All of the issues have prerequisites for their exploitation, and most WordPress sites that use the default automatic core updates setting aren't in danger. However, sites using WordPress 5.8.2 or older, with read-only filesystems that have disabled automatic core updates in wp-config.php, could be vulnerable to attacks based on the identified flaws. The four flaws addressed with the latest security update are the following: CVE-2022-21661: High severity (CVSS score 8.0) SQL injection via WP_Query. This flaw is exploitable via plugins and themes that use WP-Query. Fixes cover WordPress versions down to 3.7.37. CVE-2022-21662: High severity (CVSS score 8.0) XSS vulnerability allowing authors (lower privilege users) to add a malicious backdoor or take over a site by abusing post slugs. Fixes cover WordPress versions down to 3.7.37. CVE-2022-21664: High severity (CVSS score 7.4) SQL injection via the WP_Meta_Query core class. Fixes cover WordPress versions down to 4.1.34. CVE-2022-21663: Medium severity (CVSS score 6.6) object injection issue that can only be exploited if a threat actor has compromised the admin account. Fixes cover WordPress versions down to 3.7.37. There have been no reports of the above being under active exploitation in the wild, and none of these flaws is thought to have a severe potential impact on most WordPress sites. Nonetheless, it is recommended that all WordPress site owners upgrade to version 5.8.3, review their firewall configuration, and ensure that WP core updates are activated. This setting can be seen on the 'define' parameter in wp-config.php, which should be "define('WP_AUTO_UPDATE_CORE', true );" Automated core updates were introduced in 2013 on WordPress 3.7, and according to official stats, only 0.7% of all WP sites are currently running a version older than that. WordPress 5.8.3 security update fixes SQL injection, XSS flaws