Chrome Zero-Day & Firefox Patches Lead Urgent Browser Security Updates

Black Friday scammers offer fake gifts from big-name brands to empty bank accounts

• Black Friday malvertising redirects users to 100+ fake "Survey Reward" pages impersonating major brands.
• Scammers lure victims with free trending products, then demand personal and credit card data for "shipping fees."
• Campaign steals payment/identity data; users should be skeptical of "free reward" offers and use browser security.

Source: Malwarebytes Blog(https://www.malwarebytes.com/blog/scams/2025/11/black-friday-scammers-offer-fake-gifts-from-big-name-brands-to-empty-bank-accounts) | Date: November 24, 2025

Matrix Push C2 abuses browser notifications to deliver phishing and malware

• Matrix Push C2 abuses browser push notifications, delivering phishing and malware through deceptive system alerts.
• Attackers trick users into granting notification permissions, then mimic trusted brands to steal personal data.
• Threat drains cryptocurrency wallets; users must revoke unnecessary browser notification permissions immediately.

Source: Malwarebytes Blog(https://www.malwarebytes.com/blog/news/2025/11/matrix-push-c2-abuses-browser-notifications-to-deliver-phishing-and-malware) | Date: November 24, 2025

Expanding data residency access to business customers worldwide

• OpenAI expands data residency options for ChatGPT Enterprise/Edu and API customers globally.
• Customers can now store data in Europe, US, UK, Canada, Japan, Korea, Singapore, India, Australia, UAE.
• OpenAI ensures AES-256 encryption, TLS 1.2+, and Enterprise Key Management for enhanced security.

Source: OpenAI(https://openai.com/index/expanding-data-residency-access-to-business-customers-worldwide/) | Date: November 25, 2025

Chrome Receives Emergency Update for Actively Exploited Zero-Day Flaw

• Google Chrome issued an emergency stable channel update to version 120.0.6099.109 for desktop, addressing a high-severity zero-day vulnerability (CVE-2025-XXXX) under active exploitation.
• The critical flaw, potentially a use-after-free in the V8 JavaScript engine, affects all previous Chrome versions across Windows, macOS, and Linux platforms.
• Users are strongly advised to update their Chrome browsers immediately by navigating to chrome://settings/help to protect against ongoing in-the-wild attacks.

Source: Chrome Releases | Date: November 25, 2025

Mozilla Firefox Urgently Needs Patch for CVE-2025-13016 Vulnerability

• Mozilla Firefox is impacted by a critical vulnerability, CVE-2025-13016, with the potential to affect up to 180 million users worldwide.
• This high-severity flaw is described as a security bypass or remote code execution vulnerability, necessitating immediate action from users.
• Users are urged to update their Firefox browser to the latest patched version to mitigate the risks associated with this newly disclosed vulnerability.

Source: Hackread | Date: November 26, 2025

Microsoft Edge Updates Performance Settings and Renames Features

• Microsoft Edge is rolling out updates to its performance settings, including the renaming of the "Efficiency mode" feature to "Performance mode".
• These enhancements aim to provide users with more intuitive controls for optimizing browser speed and responsiveness, particularly in scenarios with numerous open tabs.
• The update, planned for general availability in December 2025, reflects an ongoing effort to improve resource management within the browser.

Source: Microsoft 365 Roadmap | Date: November 25, 2025

RomCom Group Leverages SocGholish Fake Updates for Mythic Agent Malware Delivery

• The RomCom threat group is employing SocGholish fake update attacks to distribute the Mythic Agent post-exploitation framework.
• These campaigns trick users into downloading malicious payloads by presenting them as legitimate software updates, often initiated from compromised websites.
• Mythic Agent is a sophisticated command-and-control framework that allows attackers persistent access and capabilities for data exfiltration from victim systems.

Source: The Hacker News | Date: November 26, 2025

JackFix Malware Spreads Via Fake Windows Update Pop-Ups on Adult Sites

• The JackFix malware campaign is actively spreading through deceptive Windows update pop-ups that appear on adult-themed websites.
• Victims who interact with these fake update prompts are subsequently infected with multiple infostealer malware variants, including Lumma, Vidar, and RedLine.
• This distribution method exploits user browsing habits on high-risk sites to maximize the reach and impact of data-stealing malware.

Source: The Hacker News | Date: November 25, 2025

Chromium Reopens Discussion on JPEG-XL Image Format Support

• Chromium developers are reconsidering the reintroduction of support for the JPEG-XL image format, following its prior deprecation and Apple's adoption.
• The debate focuses on JPEG-XL's potential benefits for web performance, offering superior compression and quality compared to existing formats.
• A decision to reinstate support could influence broader web standards and browser interoperability, impacting how high-quality images are delivered across the internet.

Source: SecurityOnline.info | Date: November 25, 2025

References

1. Stable Channel Update for Desktop - Chrome Releases
2. Chrome receives emergency update to fix high-severity zero-day flaw - dig.watch
3. Google has patched a critical Chrome zero-day flaw - Tom's Guide
4. Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users - Hackread
5. CVE-2025-13016 affects Mozilla Firefox - The Cyber Throne
6. Microsoft Edge: Performance settings update and feature name changes - Microsoft 365 Roadmap
7. RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware - The Hacker News
8. JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers - The Hacker News
9. Chromium Reopens JPEG-XL Debate: Will Google Reinstate Support After Apple Adopted It? - SecurityOnline.info