On April 16, 2025, Google and Mozilla announced the release of critical security updates for their web browsers, Chrome 135 and Firefox 137, addressing several high-severity vulnerabilities that could potentially be exploited by malicious actors.
Chrome 135 Security Updates
Google’s latest update, Chrome 135, is now available as versions 135.0.7049.95/.96 for Windows and macOS, and version 135.0.7049.95 for Linux. This update addresses two significant memory safety vulnerabilities reported by external researchers:
1. CVE-2025-3619: A critical-severity heap buffer overflow issue in the Codecs component.
2. CVE-2025-3620: A use-after-free bug in the USB component.
While Google has not disclosed detailed information about these flaws, such vulnerabilities can often be exploited by attackers to execute arbitrary code, typically by enticing users to visit specially crafted web pages. Users are strongly advised to update their Chrome browsers promptly to mitigate potential risks.
Firefox 137 Security Updates
Mozilla has released Firefox 137.0.2 across all operating systems, addressing the following high-severity vulnerability:
– CVE-2025-3608: A race condition in the nsHttpTransaction component, responsible for handling HTTP transactions.
According to Mozilla, this security defect could lead to memory corruption, potentially allowing attackers to exploit the vulnerability further. Users are encouraged to update to Firefox 137.0.2 to ensure their systems are protected.
Thunderbird Security Updates
In addition to the Firefox update, Mozilla has released Thunderbird 137.0.2 and Thunderbird ESR 128.9.2, addressing two high-severity vulnerabilities and one medium-severity flaw:
1. CVE-2025-3522: An information disclosure vulnerability where, when handling externally hosted attachments, the URL accessed to determine the attachmentâs size is not validated or sanitized, potentially referencing internal resources.
2. CVE-2025-2830: An information disclosure issue that could result in the exposure of hashed Windows credentials or a directory listing of the /tmp directory.
Users of Thunderbird are advised to update to the latest versions to address these security concerns.
Understanding the Vulnerabilities
Memory safety vulnerabilities, such as heap buffer overflows and use-after-free bugs, are critical issues in software development. They occur when a program improperly manages memory allocation and deallocation, leading to potential security breaches.
– Heap Buffer Overflow: This occurs when a program writes more data to a buffer located on the heap than it can hold, potentially allowing attackers to overwrite adjacent memory and execute arbitrary code.
– Use-After-Free: This vulnerability arises when a program continues to use a pointer after the memory it points to has been freed, which can lead to arbitrary code execution or crashes.
Race conditions, like the one identified in Firefox’s nsHttpTransaction component, happen when multiple processes access shared resources simultaneously without proper synchronization, leading to unpredictable behavior and potential security exploits.
The Importance of Timely Updates
Regular software updates are crucial for maintaining system security. They not only introduce new features but also patch known vulnerabilities that could be exploited by cybercriminals. Delaying updates increases the risk of falling victim to attacks that exploit these vulnerabilities.
How to Update Your Browser
To ensure your browser is up-to-date:
– Google Chrome: Click on the three-dot menu in the upper-right corner, go to Help, and select About Google Chrome. The browser will automatically check for updates and prompt you to relaunch if an update is available.
– Mozilla Firefox: Click on the three-line menu in the upper-right corner, go to Help, and select About Firefox. The browser will check for updates and prompt you to restart if an update is available.
– Mozilla Thunderbird: Click on the three-line menu in the upper-right corner, go to Help, and select About Thunderbird. The application will check for updates and prompt you to restart if an update is available.
Conclusion
The recent updates to Chrome 135 and Firefox 137 underscore the ongoing efforts by Google and Mozilla to enhance browser security. By addressing critical vulnerabilities promptly, these updates help protect users from potential exploits. Users are strongly encouraged to update their browsers and email clients immediately to maintain a secure browsing and communication environment.
