Google pushed out an emergency patch for Chrome on Windows this week to stop attackers exploiting a sandbox-breaking zero-day vulnerability, seemingly used by snoops to target certain folks in Russia.
Now Mozilla's doing damage control, too, after spotting a similar flaw – albeit unexploited, as far as we're aware – lurking in the code of its Firefox browser.
The Chrome patch addresses a fairly vague vulnerability identified by Kaspersky, which it found after spotting a phishing campaign targeting Russian journalists, academics, and government agencies with bogus invites to an event. Victims who clicked the malicious link in an email didn't need to do anything else - the exploit immediately punched through Chrome's security sandbox, which among other things keeps webpage tabs and plugins isolated from each other, potentially leading to further exploitation that hasn't yet been documented publicly.
"The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist," wrote Kaspersky researchers Igor Kuznetsov and Boris Larin.
The Kaspersky duo said they did not themselves observe subsequent malware infections, but believe the exploit “was designed to run in conjunction with an additional exploit that enables remote code execution.”
Phishing op targets anti-war Russians
Malware targeting Russians is unusual, but on Thursday security shop Silent Push reported some it believes is used by Russian intelligence or a miscreant with similar motives to catch locals who oppose the illegal invasion of Ukraine.
The phishing sites impersonate organizations including the CIA, the Russian Volunteer Corps (a group of Russians in Ukraine fighting against Putin), a similar group Legion Liberty, and Hochu Zhit (translation: I want to live), a Ukrainian helpline established to assist Russian soldiers who wish to surrender.
The fake pages all share a common coding pattern and are designed to fool the target into submitting their personal information. We imagine that those who do so receive a visit from Russian Полици (police).
Google thanked the Kaspersky researchers for quietly tipping the biz off, and updated Chrome, explaining that the issue was caused by an "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo, in this case, refers to Chromium's internal inter-process communication (IPC) framework.
Mozilla decided to have a look at its own sandbox, and on Thursday pushed out its own fix after Firefox engineers found a similar flaw in their own IPC plumbing. That hole, now tracked as CVE-2025-2857, also allowed sandbox escapes on Windows.
"Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our inter-process communication (IPC) code," Mozilla advised.
"Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape," the org said, referring to the original Chrome hole.
Given that Google's Chromium framework powers browsers like Edge, Opera, and Brave, users of those apps should expect similar patches to land soon - assuming they haven't already. Meanwhile, the Tor browser, built on Mozilla's open source Firefox project, on Thursday issued a Windows-only emergency release with urgent security fixes. ®
