News in Brief: Firefox follows Chrome with critical exploit patch

This article was originally published here:
https://pducklin.com/2025/03/27/firefox-follows-chrome

Bugs follow patterns

That zero-day bug in Chrome that we warned about earlier this week?

Turns out that even though Firefox isn’t based on Google’s Chromium code, Mozilla programmers made a similar sort of mistake in their own browser engine.

Technically, the bug is different, because the Firefox bug is CVE-2025-2857 while the Chrome equivalent is CVE-2025-2783.

But the story behind the Chrome zero-day encouraged the Firefox developers to review their own sandbox implementation, where they say they “identified a similar pattern in our inter-process communication [IPC] code.”

Strictly speaking, the Firefox patch can be considered proactive rather than a zero-day, but it’s no less important to apply it as soon as you can.

After all, once the Firefox team knew where to look and what to look for, they came across the CVE-2025-2857 bug very quickly.

Assume, therefore, that a determined cybercriminal who was in on the original Chrome zero-day might be able to do something very similar, and create a working exploit for Firefox in short order, too.

What to do?

Remember these two things:

• Bugs often follow patterns, so that even independent implementations of the same or a similar algorithm can end up with similar vulnerabilities. If you are a programmer, never, ever gloat at the coding misfortunes of others. Where they went, you may already and unknowingly have followed.
• Patch early, patch often. Don’t let yourself be one of the stragglers who could have jumped ahead of the cybercriminals, but who lagged behind instead and handed them an opportunity to attack you. Sign up with SolCyber to ensure you have a world-class cybersecurity team to help you stay ahead. Let SolCyber take care of your cybersecurity so that you can focus on your core business instead.

Use Help > About Firefox to ensure you’re up to date.

Look for the version number 136.0.4 after the update is done. (Don’t forget to restart Firefox to unload the old one and reload the new version.)

The version number will be one of ESR 115.21.1 or ESR 128.8.1 if you’re using a Firefox Extended Support Release, or ESR for short. The ESR versions are popular in business networks because they include all relevant security fixes, but don’t force you to take new software features at the same time.

Learn more about SolCyber’s mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!