Chrome and Firefox Release Security Update to Patch Critical Vulnerabilities

Post Views: 9

Fresh updates for Chrome and Firefox are now being deployed to address over 70 security flaws, including critical memory safety issues that could enable remote code execution.

Chrome’s Security Fixes

Chrome has been upgraded to versions 149.0.7827.155/.156 for Windows and macOS, with the Linux edition receiving version 149.0.7827.155 to resolve 33 security issues. Of these, 32 were identified by Google. The company’s advisory highlights seven critical vulnerabilities, six of which involve use-after-free errors—a memory safety flaw that could be leveraged for remote code execution.

In Chrome, these vulnerabilities could allow attackers to bypass sandbox protections if combined with exploits in the operating system or privileged browser processes. The Chrome update also addresses 26 high-severity flaws, including eight use-after-free issues, as well as problems related to insufficient data validation, improper implementation, out-of-bounds reads, flawed security UI, heap buffer overflows, and uninitialized memory usage.

Google has not reported any of these vulnerabilities being actively exploited.

Firefox’s Security Fixes

Firefox 152 was released to the stable channel, incorporating fixes for 40 vulnerabilities. These include 13 high-severity issues involving use-after-free errors, privilege escalation, incorrect boundary conditions, sandbox escapes, Just-In-Time (JIT) compilation errors, and memory safety problems.

Mozilla warned that some of the resolved memory safety flaws could be exploited for arbitrary code execution.

On the same day, the company issued security updates for Firefox Extended Support Release (ESR), Thunderbird, and Firefox for iOS. Further details are available on Mozilla’s advisory page.

Additional Context and Recent Developments

Additional context includes updates to Chrome 149, which addressed 28 vulnerabilities, and other developments such as a Visual Studio Code flaw enabling GitHub token theft, Google’s integration of a Rust-based DNS parser in Pixel devices, and discussions on AI’s role in cybersecurity.

Recent security events also highlight a supply chain attack impacting 1,500 AUR packages, the emergence of the NewCore startup with $66 million in funding, and legal actions against a Ukrainian individual linked to Conti ransomware. Other updates involve data breaches at iRhythm, phishing operations dismantled by the FBI and Google, and changes to NPM 12’s script execution behavior.

Enterprise-Focused Insights

Enterprise-focused insights emphasize the challenges of securing AI-driven environments, governance of generative development, and strategies for managing machine-speed threats. Industry leaders have also announced new roles in cybersecurity leadership, including appointments at BreachRx, CoreView, and GitLab.