Chrome is under attack—you have 21 days to update.
Despite Microsoft’s efforts to push users to the Edge, Chrome is the default browser for the vast majority of Windows users. All those users must now update Chrome, after Google warned that a new zero-day exploit has been found in the wild. An emergency update was released yesterday and needs to be installed immediately.
The vulnerability was discovered by Kaspersky this month, with its team warning of a “wave of infections by previously unknown and highly sophisticated malware.” The attack comes via an email link and “infection occurs immediately.” Beyond clicking the link, Kaspersky says, “no further action was required to become infected.”
Now America’s cyber defense agency has issued its own warning for users to update Chrome by April 17 “or discontinue use of the product” if they cannot. That mandate applies formally to any federal employee, but CISA’s guidance should be followed by all organizations public and private, large and small. The agency’s remit is “to help every organization better manage vulnerabilities and keep pace with threat activity.”
Chrome isn’t the only browser affected by this, Mozilla has also issued a warning. “Following the recent Chrome sandbox escape, various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild.”
Chrome’s stable desktop version for Windows has been updated to 134.0.6998.177/.178 to patch CVE-2025-2783. Check for that update now, and once it has downloaded, make sure you restart your browser to install the fix. Mozilla also advises that its vulnerability “only affects Firefox on Windows. Other operating systems are unaffected.”
Reports suggest current attacks are highly targeted, but now it has been patched you can expect attacks to increase while they’re still operable. As ever, a targeted exploit finds its way into other, less sophisticated hands fairly quickly.
Kaspersky says “this particular exploit is certainly one of the most interesting we’ve encountered,” given that “without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.” and as far as attribution goes, Kaspersky says it can “confidently conclude that a state-sponsored APT group is behind this attack.”
The new attack chains this exploit with another that has not yet been identified and fixed. But updating Chrome now stops the currently flagged attacks in any case.