Back to Intelligence

Chrome 147 & Firefox 150: Critical RCE Flaws Patched – Detection & Remediation

SA
Security Arsenal Team
April 29, 2026
6 min read

Security operations teams must prioritize the immediate deployment of Google Chrome 147 and Mozilla Firefox 150. Both vendors have released out-of-band security refreshes addressing critical and high-severity vulnerabilities capable of Arbitrary Code Execution (ACE). Given the browser's status as a primary attack vector for initial access—often used in drive-by downloads or watering hole attacks—delayed patching provides threat actors with a reliable entry point into enterprise environments.

The severity of these updates necessitates an immediate emergency patch cycle. For organizations relying on browser-based workflows or VDI environments, the risk of a renderer exploit bypassing the sandbox to achieve system-level execution is the primary concern.

Technical Analysis

Affected Products & Versions:

  • Google Chrome: Versions prior to 147.0.xxxx (Desktop platforms: Windows, macOS, Linux).
  • Mozilla Firefox: Versions prior to 150.0 (Desktop platforms: Windows, macOS, Linux).

Vulnerability Overview: While the specific CVE identifiers and deep-dive technical writeups are often released concurrently with the binary updates, the vendor advisories classify these flaws as "Critical" and "High." Based on the typical severity classification for browser updates of this magnitude, these vulnerabilities likely involve:

  • Use-After-Free (UAF) errors: Involving memory mishandling in the rendering engine (Blink in Chrome, Gecko in Firefox).
  • Heap Corruption: Allowing an attacker to write data outside the allocated buffer space.
  • Type Confusion: Where the browser misinterprets the type of an object, leading to malicious code execution.

The Attack Chain (Defender's Perspective):

  1. Initial Access: A user is lured to a maliciously crafted webpage (drive-by download) or a trusted site is compromised (watering hole).
  2. Exploitation: The malicious JavaScript triggers a memory corruption vulnerability within the browser's renderer process.
  3. Sandbox Escape: The attacker leverages the initial bug to break out of the browser's sandbox. This is the most critical step; without it, the impact is limited to the browser tab context.
  4. Execution: Upon successful escape, the attacker executes arbitrary shellcode with the privileges of the logged-in user, potentially leading to credential theft (dumping LSASS memory), malware deployment, or lateral movement.

Exploitation Status: While active exploitation in the wild has not been explicitly confirmed in the initial alert, the "Critical" rating usually implies that vendors have detected credible intelligence regarding exploit development or high technical feasibility. Defenders should assume PoC (Proof of Concept) code is available or imminent.

Detection & Response

Browser exploitation is notoriously difficult to detect at the network layer because the payload is often delivered over encrypted HTTPS (port 443). Furthermore, modern exploit kits obfuscate their JavaScript to blend in with legitimate web traffic. Therefore, detection must focus on the post-exploitation behaviors—specifically, the browser parent process spawning unexpected child processes.

SIGMA Rules

YAML
---
title: Potential Browser Exploit - Chrome Spawning Shell
id: 8c4e6a21-5d7f-4b5a-9a8c-1d2e3f4a5b6c
status: experimental
description: Detects Google Chrome spawning cmd.exe, powershell.exe, or wscript.exe. This is highly indicative of a successful browser exploit attempting to gain a foothold.
references:
  - https://attack.mitre.org/techniques/T1059/
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2025/04/06
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\chrome.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Rare legitimate developer debugging (usually low volume)
  - Misconfigured browser extensions (needs tuning)
level: critical
---
title: Potential Browser Exploit - Firefox Spawning Shell
id: 9d5f7b32-6e8g-5c6b-0b9d-2e3f4a5b6c7d
status: experimental
description: Detects Mozilla Firefox spawning cmd.exe or powershell.exe, indicative of code execution post-exploitation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/04/06
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\firefox.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
  condition: selection
falsepositives:
  - Legitimate user interaction (rare for firefox to spawn shell directly)
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for anomalous process creation events originating from the primary browser executables.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp >= ago(1d)
| where InitiatingProcessFileName in~ ('chrome.exe', 'firefox.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'pwsh.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'regsvr32.exe')
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName, FolderPath
| order by Timestamp desc

Velociraptor VQL

Velociraptor artifact to hunt for suspicious parent-child relationships on the endpoint.

VQL — Velociraptor
-- Hunt for Chrome or Firefox spawning suspicious child processes
SELECT
  Pid AS ChildPid,
  Name AS ChildName,
  CommandLine AS ChildCmd,
  Parent.Pid AS ParentPid,
  Parent.Name AS ParentName,
  Parent.CommandLine AS ParentCmd,
  Username,
  CreateTime
FROM pslist()
WHERE
  Parent.Name =~ "chrome.exe" OR Parent.Name =~ "firefox.exe"
  AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")

Remediation Script (PowerShell)

This PowerShell script checks the current versions of Chrome and Firefox against the patched baseline versions (147.x and 150.x respectively) to identify endpoints requiring updates.

PowerShell
# Check for vulnerable Chrome and Firefox versions
Write-Host "Checking Browser Security Status..." -ForegroundColor Cyan

# Check Chrome (Target: >= 147.0.xxxx)
$ChromePath = "${env:ProgramFiles(x86)}\Google\Chrome\Application\chrome.exe"
if (Test-Path $ChromePath) {
    $ChromeVer = (Get-Item $ChromePath).VersionInfo.FileVersion
    $ChromeMajor = [int]($ChromeVer.Split('.')[0])
    if ($ChromeMajor -lt 147) {
        Write-Host "[VULNERABLE] Google Chrome version $ChromeVer detected. Version 147+ required." -ForegroundColor Red
    } else {
        Write-Host "[PATCHED] Google Chrome version $ChromeVer detected." -ForegroundColor Green
    }
} else {
    Write-Host "Google Chrome not found at default path." -ForegroundColor Gray
}

# Check Firefox (Target: >= 150.0)
$FirefoxPath = "${env:ProgramFiles}\Mozilla Firefox\firefox.exe"
if (-not (Test-Path $FirefoxPath)) {
    $FirefoxPath = "${env:ProgramFiles(x86)}\Mozilla Firefox\firefox.exe"
}

if (Test-Path $FirefoxPath) {
    $FirefoxVer = (Get-Item $FirefoxPath).VersionInfo.FileVersion
    $FirefoxMajor = [int]($FirefoxVer.Split('.')[0])
    if ($FirefoxMajor -lt 150) {
        Write-Host "[VULNERABLE] Mozilla Firefox version $FirefoxVer detected. Version 150+ required." -ForegroundColor Red
    } else {
        Write-Host "[PATCHED] Mozilla Firefox version $FirefoxVer detected." -ForegroundColor Green
    }
} else {
    Write-Host "Mozilla Firefox not found at default path." -ForegroundColor Gray
}

Remediation

  1. Verify and Update Chrome:

    • Navigate to chrome://settings/help.
    • Ensure the version updates to 147.0.xxxx.xx or later.
    • Restart the browser to apply the update.

  2. Verify and Update Firefox:

    • Navigate to Menu > Help > About Firefox.
    • Firefox will automatically check for updates. Ensure it updates to Version 150.0 or later.

  3. Enterprise Deployment:

    • Chrome: Deploy via WSUS/SCCM or update your Google Update policies to enforce version 147.
    • Firefox: Update your ESR or Rapid Release configuration in your management tool (e.g., SCCM, Intune, GPO) to push version 150 immediately.

  4. User Awareness:

    • Inform users that a critical update is being applied and encourage a browser restart if the update does not trigger automatically.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuregoogle-chromefirefoxbrowser-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action