Browser Security

Chrome Patches Eighth Zero-Day of 2025 (CVE-2025-13223)

Nishant Sharma

18 Nov 2025 — 2 min read

Google Patches Actively Exploited Chrome Zero-Day Flaw (CVE-2025-13223)

Google has released an emergency security update for Chrome, addressing CVE-2025-13223, an actively exploited zero-day vulnerability.
The flaw is an integer overflow within the Mojo API, potentially leading to arbitrary code execution or sandbox escape, marking the eighth Chrome zero-day patched this year.
Users are urged to update Chrome immediately to version 129.0.6647.110 or later across all platforms to mitigate the risk of active exploitation.

Source: SecurityOnline.info | Date: November 17, 2025

New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT

A new EVALUSION ClickFix campaign leverages SEO poisoning and malvertising to direct victims to malicious websites, initiating the deployment of Amatera Stealer and NetSupport RAT.
The attackers use JavaScript code on compromised sites to check for specific user and system conditions, enabling evasive malware delivery that bypasses security measures.
Amatera Stealer, a key component of the campaign, is designed to exfiltrate sensitive user data, including stored browser credentials, cryptocurrency wallet details, and system information.

Source: The Hacker News | Date: November 17, 2025

More Prompt||GTFO: Browser AI Prompt Injection Vulnerabilities

Security researchers have highlighted a new "Prompt||GTFO" attack vector, enabling prompt injection against AI assistants integrated into web browsers.
This technique leverages hidden HTML elements within an iframe to manipulate the AI's understanding, allowing for the exfiltration of sensitive user data, such as email addresses, by bypassing cross-origin policies.
The Brave Browser team identified and responsibly disclosed this vulnerability in Opera Neon's AI assistant, demonstrating its potential for cross-origin data leaks.

Source: Schneier on Security | Date: November 17, 2025

Firefox Releases Critical Security Update to Patch 16 Vulnerabilities Including Remote Code Execution Flaws

Mozilla released Firefox version 145 on November 11, 2025, addressing 16 CVEs affecting graphics, JavaScript, and DOM components, with eight rated as high severity vulnerabilities that could allow attackers to execute arbitrary code on users' systems
The most critical issue is CVE-2025-13027, a cluster of memory safety bugs discovered by Mozilla's Fuzzing Team that demonstrate memory corruption patterns, which determined attackers could exploit to achieve remote code execution, potentially bypassing browser sandboxes and compromising entire devices.
Security researchers identified multiple high-severity flaws including CVE-2025-13021, CVE-2025-13022, and CVE-2025-13025 involving incorrect boundary conditions in WebGPU processing, along with WebRTC use-after-free errors that could expose audio and video streams.

Source: Cyber Press | Date: November 17, 2025

References

Google Patches Actively Exploited Chrome Zero-Day Flaw (CVE-2025-13223) in Emergency Update - SecurityOnline.info
New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT - The Hacker News
More Prompt||GTFO - Schneier on Security
Firefox Releases Security Update to Fix Multiple Vulnerabilities Allowing Arbitrary Code Execution - Cyber Press

Browser Security Digest: No Critical Browser-Specific Threats Identified

This newsletter is AI generated and may hallucinate sometimes 😊 Weekly Browser Security Digest: No Critical Browser-Specific Threats Reported * A thorough analysis of recent security advisories and threat intelligence reports reveals no new critical vulnerabilities or active exploit campaigns directly targeting web browsers. * This review focused on web rendering engines, JavaScript

Browser Threats: GoldPickaxe, Opera Neon AI Prompt Injection

This newsletter is AI generated and may hallucinate sometimes 😊 GoldPickaxe Malware Leverages Browser-in-the-Browser Attacks * The GoldPickaxe malware campaign is actively employing sophisticated "browser-in-the-browser" social engineering techniques to target both iOS and Android users. * Attackers are using this method to steal sensitive information, including facial scan data and various

Browser Security Watch: Advanced Phishing Attacks Exploiting Microsoft 365

This newsletter is AI generated and may hallucinate sometimes 😊 Russian APTs Leverage Device Code Phishing for Microsoft 365 Account Takeovers * Russian government-backed hackers are actively employing a device code phishing technique to compromise Microsoft 365 accounts across global government, defense, energy, and intelligence sectors. * This attack bypasses traditional multi-factor authentication

Microsoft Edge Introduces Password Affiliation Service for Enhanced Security

This newsletter is AI generated and may hallucinate sometimes 😊 * Microsoft Edge is rolling out a new password affiliation service aimed at enhancing the security and management of saved user credentials. * This feature intelligently groups and associates passwords across different, but related, domains that belong to the same entity. * By understanding