Mozilla has issued an emergency update for Firefox on Windows to address a critical sandbox escape vulnerability (CVE-2025-2857) following the discovery of a similar exploit in Google Chrome (CVE-2025-2783). The flaw, which affects Firefox 136.0.4 and ESR versions 128.8.1/115.21.1, stems from improper IPC handle management in Windows, allowing child processes to bypass sandbox protections. This marks the second major browser vulnerability this month tied to Windows OS-level weaknesses.
TL;DR: Key Takeaways
- Affected Software: Firefox 136.0.4, ESR 128.8.1/115.21.1 (Windows only)
- Vulnerability: CVE-2025-2857 (Sandbox escape via IPC handle leaks)
- Root Cause: Windows IPC flaws exploited in both Firefox and Chrome
- Threat Context: Linked to Operation ForumTroll APT campaign targeting Russian entities
- Action Required: Immediate update via Firefox’s
Help → About Firefox
Technical Analysis
The vulnerability was discovered by Mozilla engineer Andrew McCreight during a post-mortem of Chrome’s CVE-2025-2783 patch. Both flaws exploit Windows’ inter-process communication (IPC) mechanisms, though they manifest differently:
| Browser | Exploit Mechanism | Patch Version |
|---|---|---|
| Firefox | Leaked handles allow child processes to access privileged parent resources | 136.0.4 / ESR 128.8.1 |
| Chrome | Mojo IPC bypass via Windows OS flaws (initially misattributed to Mojo) | 134.0.6998.177/.178 |
Kaspersky’s analysis of Operation ForumTroll revealed the Chrome exploit was delivered via phishing emails impersonating the Primakov Readings forum. Attackers used personalized links requiring no additional user interaction beyond clicking.
Remediation Steps
For enterprise environments:
- Verify Firefox versions across all Windows endpoints using:
- Enforce updates via Group Policy or MDM solutions
- Monitor for suspicious child process spawning from Firefox instances
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Firefox*"} | Select Name, VersionBroader Implications
The shared Windows IPC root cause suggests other Chromium-based browsers (Edge, Brave) may require patches. CISA has mandated federal agencies to apply updates by April 17^1. Mozilla’s rapid response—within 72 hours of Chrome’s disclosure—demonstrates improved cross-browser coordination for shared platform vulnerabilities.
References
- “[Mozilla Releases Urgent Patch for Windows After Chrome Zero-Day Exploit](https://gbhackers.com/mozilla-releases-urgent-patch-for-windows/)”. GBHackers. [Accessed March 25, 2025].
- Kaspersky Threat Intelligence, “Operation ForumTroll: Analysis of Chrome Zero-Day Exploitation”. [Internal Report]. March 2025.
