Firefox, Chrome Sandbox Flaws Expose Windows Users to Espionage | Image Source: www.bleepingcomputer.com
WASHINGTON, D.C., March 26, 2025 – In a relative disclosure for global cybersecurity, Mozilla Firefox and Google Chrome released emergency updates for Windows users following the ​discovery of zero-day critical vulnerabilities that allow attackers to escape from ​the browser’s ​sandbox environments. These defects, marked ​as CVE-2025-2857 and CVE-2025-2783 respectively, have already been exploited in active cyber espionage campaigns, mainly aimed at Russian institutions and media, according to ​several cybersecurity companies and advice from browser developers.
What is an Escape Sandbox, and why is it important?
In secular terms, a “sandbox” is a protective layer that browsers use to isolate Web content from access to the central operating system. Think of it as ​a glass box: the site you visit is allowed to move inside, but cannot break ​the glass ​and ruin directly with your computer. A sandbox leak ​is exactly what it looks like – ​it’s when this invisible wall ​breaks. That’s when hackers can start ​to crash malware, drag ​around their files, or even take control of the system.
According to Mozilla, Firefox’s vulnerability is derived from a ​”bad handle” defect that could allow an attacker ​to confuse communication between browser processes (IPC) in filtering sensitive ​handles from a preferred parent process to an unprivileged child process. This leak opens the door to the attacker to act outside ​the sandbox.
Meanwhile, ​the vulnerability of Google Chrome, CVE-2025-2783, was apparently much more theft. According to a ​Kaspersky report, two researchers, Boris Larin and Igor Kuznetsov, discovered the defect ​while studying a ​wave of sophisticated infections. His analysis highlighted a sandbox bypass that “clearly did nothing malicious,” but still completely deactivated Chrome’s protections on Windows systems.
Who is affected by these vulnerabilities?
Both vulnerabilities are specific to Windows platforms. ​According to Mozilla, CVE-2025-2857 does not affect Firefox on macOS or Linux. The problem ​was present in Firefox version ​136.0.4 and ​its Extended Support Release versions 115.21.1 and 128.8.1. Google’s default is also limited to ​Chrome on Windows, with updates now committed to Chrome version 134.0.6998.177 /.178.
Organizations that ​rely on massive ​deployments, such as government offices, universities and the media, ​are particularly vulnerable because of their larger attack areas. Mozilla and Google’s advice explicitly emphasize that these vulnerabilities ​are actively exploited, cyber espionage ​being the probable motive.
“This only affects Firefox on ​Windows. Other operating systems ​are not affected,” Mozilla said in his advice. Similarly, Google pointed out that “most users” must install the update to ensure ​security before more details about the defect are disclosed.
What is the story behind Operation ForumTroll?
Perhaps the most frightening aspect of this situation is ​its ​connection ​to an advanced cyber espionage campaign called Operation ForumTroll. According to Kaspersky, this operation ​included phishing emails disguised as ​invitations ​to a Russian intellectual conference called ​”Primakov Readings”. Emails were sent to targets in ​Russian media, government organizations and educational institutions.
Once a user clicked on the malicious link in ​the email, the Chrome ​browser would open, and – without any additional action required – ​the malware would ​be installed. Thus the exploitation was silent and effective. Kaspersky ​called exploitation “one ​of the most ​interesting we’ve ​found,” ​adding that the attackers probably belong to a state-sponsored APT group (Persistent Advanced Presentation).
“All the attack devices analysed so ​far indicate a great sophistication of the attackers, ​which allows us to ​conclude with confidence that ​a state-sponsored APT group is behind this attack,” said Kaspersky.
Interestingly, Firefox also suffered ​a similar attack in October 2024. This flaw (CVE-2024-9680) exploited Firefox’s animation calendar function and was ​used by the Russian group RomCom cybercrime. It was also matched with a Windows ​privilege escalation defect, indicating a ​trend of chained ​attackers vulnerabilities across layers to maximize their reach.
What are the technical ​details of these explosives?
Although ​neither Mozilla nor Google revealed the complete technical details, in part to avoid further exploitation before the widespread patch, ​they shared enough to paint an image of the risk involved. The Mozilla defect involves ​poor handle management in the IPC. This problem allows ​attackers to manipulate process privileges ​through ​intelligent use of the underlying ​browser architecture.
Google’s defect is ​rooted in a logical ​error in the ​IPC framework of Chrome “Mojo”. This ​framework is supposed ​to ​manage communication between browser components safely. However, the logical mishap allows an attacker to pass the sandbox together on Windows OS, an explosion ​that does not require additional permissions or downloads, just a ​simple click on a phishing email link.
Kaspersky’s report explains the ​results: “The essence of vulnerability is reduced to a logical error ​at the Chrome intersection and the Windows operating system ​that allows you to avoid the protection of the ​browser sandbox. “
How can ​users ​remain protected?
Google and Mozilla issued fixes to correct these critical ​defects. Users are encouraged to update their browser immediately. For Chrome, access the settings > About Chrome to ​check the update manually. Mozilla Firefox users can do the same by visiting ​Help > About Firefox.
In addition to updating your browser, it is crucial to remain vigilant against phishing attacks. Here are some practical steps:
- Never click on links from unknown sources.
- Verify the sender of the email. If the invitation looks suspicious, it ​probably is.
- Use email filters and endpoint protection tools to catch malware before it executes.
- Educate employees and users about phishing threats regularly.
As Kaspersky ​reports, the ​infection in these campaigns occurred “immediately after the victim clicked on a link”, without further interaction. This means that ​education and software updates are your best defenses.
What if you don’t update?
If not identified, these ​vulnerabilities allow threat actors to fully ​compromise their devices, particularly in corporate or government ​environments. Remote code execution, data theft, monitoring ​and deployment of ransomware are ​possible once the sandbox is broken.
In addition, these defects are likely to be reversed by other malicious groups once the full technical details are published. That’s why Mozilla and Google keep more information until the adoption of patches reaches critical mass.
“Connecting the Chrome defect breaks the entire chain of infection,” Kaspersky said. However, the campaign can continue with the farm ​variants. Therefore, time ​is essential.
Why is this so much for ​national security?
Cyber espionage campaigns like Operation ForumTroll are not only ​about ​stealing passwords, but also about acquiring information that could influence international relations. Government-sponsored actors often target sensitive information ​systems, strategic communications and infrastructure control. This is more than a technological problem, ​it is a national security problem.
Given the evidence ​of state involvement, as Kaspersky suggests, the implications go far beyond Russia. Every nation that trusts ​Chrome or Firefox in Windows can be a potential target if similar exploits are developed.
It is also interesting to highlight the time: Microsoft ​recently issued an ​evening ​warning ​that suggests that Chrome users can be better off deactivating Edge, citing security concerns. Although this may seem opportunistic, it highlights the broader confidence issues surrounding ​browser-based security in 2025.
In ​conclusion, while Mozilla and ​Google deserve credit to act ​quickly, it is up to users to complete ​the last step. Update your browser now, stay careful with emails, and follow best cybersecurity practices. Because sometimes it takes just one click to ​let the wrong ​ones in.
