By OptionOne Technologies
Cybersecurity News
Critical Firefox Vulnerability Patched Following Similar Chrome Zero-Day
Mozilla has released urgent updates to address a critical security flaw impacting its Firefox browser for Windows, The Hacker News reported. The updates come just days after Google patched a similar vulnerability in Chrome that was actively exploited as a zero-day.
The security vulnerability, CVE-2025-2857, has been described as an incorrect handle issue that could lead to a sandbox escape.
Mozilla developers identified this vulnerability after examining the recent Chrome “sandbox escape” (CVE-2025-2783) and finding a similar pattern in Firefox’s inter-process communication code. A “sandbox escape” is a vulnerability that allows a program running within a restricted environment to bypass restrictions and access a host system or other resources it shouldn’t have access to.
According to Mozilla’s advisory, “A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.”
The vulnerability affects both standard Firefox and Firefox Extended Support Release (ESR) versions and has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1.
While there is currently no evidence that CVE-2025-2857 has been exploited in the wild, a similar Chrome vulnerability was used in targeted attacks against media outlets, educational institutions, and government organizations in Russia, Forbes reported.
75% of US Government Websites Experienced Cybersecurity Breaches
New research from the Cybernews Business Digital Index has revealed alarming security statistics about the U.S. government’s online infrastructure. According to a Cybernews report, 75% of US government departments and agency websites have suffered data breaches, with 53.7% scoring “D” or worse for their cybersecurity efforts and 38.8% falling into the “F” category. The study found that almost 54% of government entities have had corporate credentials stolen, and 27% have employees reusing compromised passwords.
“Cybersecurity threats to critical infrastructure are no longer just theoretical — they are an active and growing risk,” stated Vincentas Baubonis, Head of Research at Cybernews.
“Poor cybersecurity practices create vulnerabilities that attackers can easily exploit, potentially shutting down essential services with minimal effort.”
Researchers identified that the most common security issue is related to SSL/TLS configuration, which involves using certificates and cipher suites to set up secure communications. This issue was found to affect 93% of the departments and agencies analyzed.
Meanwhile, poor system hosting practices affected 77% of government entities. At the time of the report, 24% of domains had experienced recent data breaches, with the latest detected just four days before publication.
NCSC Sets 2035 Deadline for Post-Quantum Cryptography Migration
The UK’s National Cyber Security Centre (NCSC) has urged organizations to completely migrate their systems, services, and products to post-quantum cryptography (PQC) by 2035, Infosecurity Magazine reported. The goal of PQC is to create cryptographic algorithms that are secure against both traditional and quantum computers.
Although quantum computing is still in development, most current encryption methods would be vulnerable to an attack from a quantum computing capability. The new guidance sets out three phases for migration to this type of encryption, which is designed to safeguard sensitive information from future risks posed by quantum computers.
The NCSC’s phased approach aims to ensure a smooth, controlled migration that reduces the risk of rushed implementation and potential security gaps. This guidance is primarily targeted at information and technology leaders of large organizations, operators of critical national infrastructure systems, and companies with bespoke IT solutions.
“Quantum computing is set to revolutionize technology, but it also poses significant risks to current encryption methods,” said Ollie Whitehouse, NCSC Chief Technical Officer.
“Our new guidance on PQC provides a clear roadmap for organizations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come.”
Cybersecurity Tips
Addressing Critical Cybersecurity Vulnerabilities in Popular Business Software
The recent Firefox and Fortinet vulnerabilities highlight the importance of staying on top of vendor security advisories and patching third-party software as soon as patches are available. Business leaders should consider implementing the following best practices:
- Establish a Vulnerability Management Program: Create a systematic approach to tracking vulnerabilities in all software used within your organization. Prioritize patches based on severity ratings and exploitation status.
- Enable Automatic Updates Where Possible: For widely used applications like web browsers, configure automatic updates to ensure security patches are applied promptly.
- Monitor CISA’s Known Exploited Vulnerabilities Catalog: Regularly check CISA’s Known Exploited Vulnerabilities (KEV) catalog for newly reported vulnerabilities and prioritize addressing those that affect your technology stack.
- Implement Defense in Depth: Never rely on just one security control. Layer multiple security measures so that if one fails, others can still protect your systems and data from compromise—the most common example of this approach is multi-factor authentication (MFA).
- Prepare for Post-Quantum Cryptography: Begin planning your organization’s migration to post-quantum cryptography well ahead of the 2035 deadline. Start by inventorying all systems that use cryptography and developing a phased approach to transitioning to quantum-resistant algorithms.
Thanks for Reading
That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.
