Anonymity New Vulnerabilities in Chrome/Firefox.

[Fixxx]

Google and Mozilla have released important updates for their respective browsers, Chrome and Firefox, which fix a number of serious vulnerabilities. Chrome users need to update their browser to version 31.0.6778.264/265 for Windows and macOS and version 131.0.6778.264 for Linux. This update includes fixes for four security vulnerabilities. For discovering one of them, Google awarded a reward of $55,000. The vulnerability CVE-2025-0291 in the V8 JavaScript engine of Chrome allows remote execution of malicious code through a specially crafted HTML page or even a denial-of-service attack on the computer.

As for Firefox, version 134 of Mozilla's browser includes fixes for 11 security vulnerabilities, three of which are rated as high-risk, while the others are considered moderate. One of the high-risk vulnerabilities (CVE-2025-0244) affects Firefox on Android devices. It allows an attacker to spoof the browser's address bar, redirecting the user to a fake URL. Two other serious vulnerabilities affect both Firefox and the Mozilla Thunderbird email client. Both vulnerabilities, coded CVE-2025-0242 and CVE-2025-0247 respectively, allow an attacker to read or write code outside of normal memory areas. As the developers noted, with sufficient effort, these vulnerabilities could be exploited to execute arbitrary code.

In the near future, articles about the new features of version 132 will appear on the Chrome and Chromium blogs. The update also affects the extended stable channel, which will be updated to version 132.0.6834.83/84. The new version addresses a total of 16 vulnerabilities, some of which were discovered by external researchers. Access to the details may be restricted until most users have updated their browsers or if the vulnerability involves a third-party library. Key vulnerabilities include:

• CVE-2025-0434 - Out-of-bounds access in V8. Discovered by ddme on October 21, 2024.
• CVE-2025-0435 - Incorrect implementation in Navigation. Discovered by Alesandro Ortiz on November 18, 2024.
• CVE-2025-0436 - Integer overflow in Skia. Discovered by Han Zheng (HexHive) on December 8, 2024.
• CVE-2025-0437 - Out-of-bounds read in Metrics ($2000). Discovered by Xiantong Hou and Pisanbao on November 12, 2024.
• CVE-2025-0438 - Stack overflow in Tracing. Discovered by Han Zheng (HexHive) on December 15, 2024.

Medium-severity vulnerabilities include issues in the Frames, Fullscreen, Fenced Frames, Payments and Extensions mechanisms, with rewards ranging from $1000 to $5000. Low-severity vulnerabilities are related to insufficient data validation and incorrect implementations in several components. The Chrome team also highlighted the contribution of internal reviews, audits and tools such as AddressSanitizer, MemorySanitizer and others in fixing bugs before they made it into the stable release.