Browser Security

Critical Chrome Zero-Day (CVE-2025-13223) Patched Amidst Evolving Browser Threats

Nishant Sharma

โ€” 4 min read

Coral: Bridging Parsing and Zero-Knowledge Proofs

  • Coral system enables zero-knowledge proofs that a byte stream matches a Context Free Grammar.
  • It prevents attacks using malformed inputs to generate misleading zero-knowledge proofs.
  • Coral supports practical grammars for verifying JSON API responses and source code parsing.

Source: Brave | Date: November 17, 2025

When Claude Becomes a Cyber-Weapon: The AI Arms Race Has Begun

  • Chinese state-sponsored group used Anthropic's Claude Code to compromise ~30 global targets autonomously.
  • AI handled 80-90% of attack lifecycle, automating thousands of requests per second.
  • Three critical command injection vulnerabilities (CVSS 8.9) affected over 350,000 Claude Desktop downloads.

Source: Koi | Date: November 14, 2025

Chrome zero-day under active attack: visiting the wrong site could hijack your browser

  • Google released critical security updates for Chrome addressing two high-severity V8 JavaScript vulnerabilities.
  • CVE-2025-13223 is actively exploited, allowing heap corruption via malicious HTML pages.
  • Users must update Chrome to version 142.0.7444.175 (Windows/Linux) or 142.0.7444.176 (macOS) immediately.

Source: [Malwarebytes](https://www.malwarebytes.com/blog/news/2025/11/chrome-zero-day-under-active-attack: visiting the wrong site could hijack your browser) | Date: November 18, 2025

Intuit and OpenAI join forces on new AI-powered experiences

  • Intuit and OpenAI formed a multi-year partnership to integrate Intuit apps into ChatGPT.
  • OpenAI models will power Intuit's AI agents for cash-flow, tax, and payroll management.
  • Partnership prioritizes secure, personalized financial insights under Intuit's privacy safeguards.

Source: OpenAI | Date: November 18, 2025

Comet Assistant puts you in control

  • Comet Assistant upgrades enhance user security by displaying actions and allowing real-time guidance.
  • Assistant now seeks explicit permission before performing sensitive tasks like logins or purchases.
  • Built-in safeguards ensure sound judgment, pausing for user input on high-stakes decisions.

Source: Perplexity AI | Date: November 14, 2025

Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar

  • Phishing kits like "Fresh Phish" and "FakeLogon" are employing a "Browser-in-the-Browser" (BitB) technique to create fake browser windows that convincingly mimic legitimate login pages.
  • This technique is particularly effective against 2FA, as the BitB pop-up includes a fake address bar that can display a legitimate domain, misleading users into entering credentials.
  • Attackers register domains with names similar to trusted services, then embed the BitB pop-up within their phishing page to trick victims into thinking they are interacting with the genuine website.

Source: The Hacker News | Date: November 18, 2025

Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages

  • Security researchers identified seven malicious npm packages that utilize the "Adspect" traffic distribution system for cloaking, redirecting users to cryptocurrency scam pages.
  • The packages, including web3-net-kit, web3-http-client, and web3-api-client, appear benign but dynamically load malicious content via Adspect, which helps them evade detection.
  • These packages, collectively downloaded thousands of times, were designed to lure unsuspecting developers into integrating them, subsequently compromising their users with browser-based scams.

Source: The Hacker News | Date: November 18, 2025

Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability

  • Google has released an urgent security update for Chrome to patch a zero-day vulnerability, tracked as CVE-2025-13223, that is actively being exploited in the wild.
  • The vulnerability is a type confusion issue found in the V8 JavaScript engine, which attackers can leverage for remote code execution or privilege escalation.
  • Users are strongly advised to update their Chrome browsers to version 120.0.6099.109 or higher for Windows, macOS, and Linux to mitigate the risk of exploitation.

Source: The Hacker News | Date: November 18, 2025

Edge for Business Presents the Worldโ€™s First Secure Enterprise AI Browser

  • Microsoft has introduced "Edge for Business," marketed as the world's first secure enterprise AI browser, designed to enhance productivity and security for organizations.
  • The new browser integrates features like AI-powered enterprise controls, automatic context switching between work and personal profiles, and enhanced data loss prevention.
  • Edge for Business offers a distinct visual identity, including a new icon, and aims to provide advanced security, management, and productivity capabilities for business users.

Source: Microsoft Edge Dev Blog | Date: November 18, 2025

Breaking Down CVE-2025-13223: The Latest Chrome Zero-Day Threat

  • The recently patched Chrome zero-day, CVE-2025-13223, is the seventh such vulnerability addressed by Google in 2025, highlighting a persistent threat landscape for browser security.
  • This type confusion bug in the V8 JavaScript engine can lead to memory corruption, enabling an attacker to gain control over the browser's renderer process.
  • Successful exploitation could allow attackers to execute arbitrary code within the compromised browser context, potentially leading to further system compromise.

Source: The Cyber Throne | Date: November 18, 2025

Google Fixes New Chrome Zero-Day Flaw Exploited in Attacks

  • Google urgently released an out-of-band security update for Chrome to address CVE-2025-13223, a critical zero-day bug actively exploited in attacks.
  • The vulnerability affects the V8 JavaScript engine, where a type confusion issue allows for arbitrary code execution within the browser's sandbox.
  • Users should update to Chrome versions 120.0.6099.109 for desktop (Windows, macOS, Linux) and 120.0.6099.109 for Android to apply the necessary security patches.

Source: BleepingComputer | Date: November 18, 2025

Google Fixed the Seventh Chrome Zero-Day in 2025

  • Google has patched CVE-2025-13223, marking it as the seventh zero-day vulnerability actively exploited in the Chrome browser during 2025.
  • This type confusion flaw in the V8 JavaScript engine underscores the ongoing threat posed by sophisticated attackers targeting browser rendering components.
  • The rapid succession of zero-day patches emphasizes the critical need for users to maintain up-to-date browser versions to protect against emerging threats.

Source: Security Affairs | Date: November 18, 2025

References

  1. Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar - The Hacker News
  2. Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages - The Hacker News
  3. Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability - The Hacker News
  4. Edge for Business presents: the worldโ€™s first secure enterprise AI browser - Microsoft Edge Dev Blog
  5. Breaking Down CVE-2025-13223: The Latest Chrome Zero-Day Threat - The Cyber Throne
  6. Google fixes new Chrome zero-day flaw exploited in attacks - BleepingComputer
  7. Cisco Identity Services Engine Reflected Cross-Site Scripting and Information Disclosure Vulnerabilities - Cisco Security Advisory
  8. Multiple Cisco Contact Center Products Vulnerabilities - Cisco Security Advisory
  9. Google fixed the seventh Chrome zero-day in 2025 - Security Affairs
  10. CVE-2025-13223 - NVD
  11. CVE-2025-7009 - NVD
  12. CVE-2025-7010 - NVD
  13. CVE-2025-7001 - NVD
  14. CVE-2025-6997 - NVD

Read more