An update warning has been issued now for 2 billion Google Chrome users

It’s been a nightmare week for Google and its more than 2 billion Chrome desktop users. The US government has added a third major zero-day security threat to its central catalog of vulnerabilities known to be behind active attacks. Now six more vulnerabilities have just been patched.

You really need to make sure your browser has updated successfully – so here’s what you need to do…

Updated May 22 with Google’s fourth Chrome security update in less than ten days.

What a week it’s been for Google Chrome. If you’re one of the billions who default to Chrome as their desktop browser, then the prospect of three actively exploited vulnerabilities confirmed within six days will be a major concern. And rightly so – Chrome is clearly under attack.

And then, with the ink still not dry on those three emergency updates, came a fourth update, this time with six more important security fixes. The latest update, which brings Chrome’s stable channel to 125.0.6422.76/.77 for more than two billion Windows and Mac desktop users, is now rolling out.

ForbesGoogle’s new AI feature is ‘incredibly dangerous’, warns Android users

Of these six patches, four followed reports of external vulnerabilities, as follows:

  1. High CVE-2024-5157: Use after free in Schedule. Reported by Looben Yang
  2. High CVE-2024-5158: Type confusion in V8. Reported by Zhenghang Xiao
  3. High CVE-2024-5159: Memory buffer overflow in ANGLE. Reported by David Sievers
  4. High CVE-2024-5160: Memory buffer overflow in Dawn. Reported by wgslfuzz

As usual, even when no active exploit is found, Google notes that “access to bug details and links may be restricted until most users are updated with a patch. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but has not yet been fixed.” In short, the maximum risk is when there is an acknowledged problem and a fix, but that fix has not yet not implemented by most users – the clock is ticking.

The latest updates don’t have the headline status of last week’s, which were also made after outside reports, but Google still paid for the reports.

All four known vulnerabilities follow the same pattern as the last three – memory issues where the vulnerability can be targeted to destabilize the system and potentially open up access to running code or readable memory that should have been locked.

Post-free and type confusion issues affecting the core JavaScript engine are common, and Google acknowledges it. The two heap overflow problems are variations on the same memory theme.

Normally, an update alert from Google would have generated more headlines of its own, but the media is still abuzz with news from the days leading up to these three emergency updates, back-to-back, all of which spawned active exploits and the US government added them to its database of active threats, with an update or suspension of use alert for all federal agencies.

When we talk about Google Chrome, the dominant desktop browser, that’s something.

The database in question is CISA, the US Cybersecurity and Infrastructure Security Agency’s Catalog of Known Exploited Vulnerabilities (KEV). This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as input to their vulnerability management prioritization framework.”

As for what users are doing now – it’s not enough to let your browser update automatically – you need to actively ensure that the update is installed with one simple action, as explained below.

Chrome’s first “update now” warning came on May 9, with Google warning that it was “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was a “use-after-free” issue where pointers to freed memory are not deleted and thus could be abused.

As Kaspersky warns, “an attacker can use UAF to pass arbitrary code or a reference to it to a program and navigate to the beginning of the code using a dangling pointer. Thus, the execution of the malicious code can allow the cybercriminal to gain control over the victim’s system.

But before most users were even aware of the problem, attack number two arrived. On May 13, CVE-2024-4761 promoted Google to warn that an exploit was found in the wild. This time it was an “out of bounds” memory vulnerability affecting Chrome’s V8 Javascript engine. This type of issue allows an attacker to target Chrome with maliciously crafted HTML pages.

An out-of-bounds problem risks exposing sensitive information that shouldn’t be accessible, while also risking a system or software crash that could allow an attacker to gain access to that data.

And then just 48 hours later, on May 15, Google also warned that “the exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability that again exposed users to a crafted HTML page attack.

Type confusion occurs when software tries to access incompatible resources without a safety net to catch the risk. The error can bring the system to an unexpected state, opening a security threat.

All of these vulnerabilities can destabilize the browser or device, which is a concern in itself, but can also be used to allow other exploits to run once the system is destabilized.

Most users will have Chrome set to update automatically, which it should always do for security updates of this kind. But that alone is not enough. You should always fully close and restart Chrome to make sure the update is fully installed.

Given the alarming optics of three zero days in six days, and the logistics of deploying multiple software releases to so many systems in such a short period of time, you should manually close and restart Chrome today, with the browser having a nightmare week, hopefully. now over.

Even if you think the updates are already installed, this is a good protection against errors.

In fact, I’d go further this week and also suggest rebooting the device – if it doesn’t cause too many ancillary problems with the other software you’re using.

As for Chrome, this shouldn’t be too much of a problem. As Google explains, Chrome “saves your open tabs and windows and reopens them automatically when it restarts.” But that doesn’t include Google’s quasi-private browsing mode. “Your incognito windows will not reopen when Chrome restarts.”

CISA also warned that the first two vulnerabilities “may affect multiple web browsers that use Chromium, including but not limited to Google Chrome, Microsoft Edge and Opera.”

US federal agencies have until June 3, 6 and 10, respectively, to “implement mitigation measures as directed by the supplier or discontinue use of the product if mitigation measures are not available.”

So what to make of this nightmare week for Google and the vast number of Chrome users. It’s no surprise that Google has been hit so many times, it’s a complex platform and a hotbed for attacks given the ubiquity of the desktop install base.

Exploits against any software that an attacker might assume would be on a target device are highly valued. All this means considerable effort by the good guy and the bad guy to find vulnerabilities. So here we are.

It’s a bit ironic that just as Chrome’s nightmare week ended, Google released a white paper titled “a more secure alternative” attacking Microsoft and suggesting that “as a result of significant cybersecurity incidents with Microsoft, Google Workspace offers a safer choice .”

Chrome is not Workspace, and the white paper focuses on sophisticated cyberattacks, not just exploited vulnerabilities. But let’s remember, one thing leads to another.

And quite apart from the details, visually the weather is a little uncomfortable to say the least. Maybe the PR department could have held this for just a few days. We do not yet know the extent of the attacks and whether the disclosure of the exploits is linked to any specific campaign.

The timing is even worse given the AI ​​criticism that Chrome has also been receiving since Google’s recent updates. “Google search is no longer an algorithm that displays relevant results based on a few keywords you type into the search box,” Windows Central explains. “Instead, it’s a system that relies on AI to motivate search intent to provide the most relevant response.” However, although the company says the new system offers a better experience, inaccurate results continue to rise, especially in the latest AI Preview feature, designed to show full answers.’

ForbesWhatsApp unveils a clever new feature to ensure your secrets stay secret

The site provides a guide to disabling these new AI results, which not only have accuracy issues — bad enough on their own, of course — but also open a Pandora’s box of AI data and user privacy that should be a greater concern for consumers as AI comes to change so many of these platforms and services.

While you’re restarting the browser to make sure updates are installed, you can also review other settings—it never hurts to brush through your security and privacy settings regularly.

When it comes to Chrome security, however, the good news is that the emergency updates this time around were very timely – to the point that they made headlines around the world. Now you just have to contribute.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top