Information security

Zero-day security vulnerability in Chrome

Update now! Zero-day security vulnerability in Chrome is under attack

Google has released an update for the Chrome web browser. It closes a zero-day vulnerability that is already under attack.

Google released an update for the Chrome web browser on Wednesday night. It plugs a zero-day security vulnerability that attackers are already abusing in the wild. Anyone using Chrome should quickly check whether the bug-fixed version is already installed and active.

In the version announcement, Google's developers write that under undisclosed circumstances, an incorrect handle (CVE-2025-2783, no CVSS, risk"high" according to Google) is assigned by Chrome under Windows in the Mojo component, which provides functions for inter-process communication. A handle provides access to resources, but in this case to the wrong ones, which can be abused by attackers - and they are already doing so, which Google also mentions in the version announcement: "Google is aware of reports that an exploit for CVE-2025-2783 exists on the web".

Abused zero-day vulnerability discovered by Kaspersky

The attacked zero-day vulnerability was discovered by IT researchers from Kaspersky. In a blog post, they describe the observed attacks of the "Operation ForumTroll" APT. According to the article, the attack begins with a phishing email purporting to be an invitation to an event of the International Economic and Political Science Forum and leading to a program and registration form. However, both links lead to a malware infection in the Chrome web browser under Windows without any further interaction on the part of the victim.

Kaspersky is not yet willing to explain the details of the vulnerability, but describes the flaw as a logic error between Chrome and the Windows operating system that allows Chrome's sandbox protection to be bypassed. The observed attacks were directed in particular against Russian media representatives, employees of educational institutions and government organizations. Kaspersky assumes that the attackers want to spy on the victims. The links from the phishing emails are currently no longer active, but attackers can use the exploit elsewhere at any time.

The current bug-fixed versions are Chrome 134.0.6998.177/.178 for Windows. The extended stable version is 134.0.6998.178 for Windows, which is the same as the fixed version.

Version check

The version dialog reveals whether Chrome is already up to date. This opens after clicking on the browser menu, which is located behind the three stacked dots to the right of the address bar. From there, click on "Help" to go to "About Google Chrome". If the update has not yet been installed, the dialog offers the update and then the browser restart required to activate the new software.

Under Linux, the software management of the distribution used usually carries out the update - however, as the vulnerability occurs under Windows, an update is not urgent here. Other Chromium-based web browsers such as Microsoft Edge are also likely to provide an update shortly, which users should also apply promptly.

Exactly one week ago, Google released an important update for the Chrome browser. It patched a security vulnerability classified as a critical risk.

Found at htps://www.heise.de/news/Jetzt-updaten-Zero-Day-Sicherheitsluecke-in-Chrome-wird-angegriffen-10328773.html