This has been a nightmare week for Google and its more than 2 billion desktop Chrome users. The US government has now added a third serious zero-day security threat to its central catalog of Chrome vulnerabilities known to be behind active attacks.
You need to ensure that your browser has been updated successfully. This is what you do…
Multiple ‘update now’ warnings issued for billions of Chrome users
Updated May 20 to add a third Google vulnerability to CISA’s known exploit catalog, giving federal agencies until June 10 to update all their Chrome instances.
What a week this has been for Google Chrome. If you’re one of the billions who default to Chrome as your desktop browser, the confirmation of three actively exploited vulnerabilities in six days will be a major concern. And rightly so: Chrome is clearly under fire.
All three vulnerabilities have now been added to CISA, the U.S. Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as input into their vulnerability management priority framework.”
It is not enough to let your browser update automatically; you must actively ensure that the update is installed with one simple action, as explained below.
Chrome’s first “update now” alert came on May 9, with Google warning that it was “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was a ‘use after free’ issue, where references to freed memory are not removed and can therefore be exploited.
As Kaspersky warns, “an attacker can use UAFs to pass arbitrary code (or a reference to it) into an application and navigate to the beginning of the code using a dangling pointer. In this way, execution of the malicious code can allow the cybercriminal to take control of a victim’s system.”
But before most users were even aware of the problem, attack number two came. On May 13, it was CVE-2024-4761 that Google promoted to warn that an exploit had been found in the wild. This time it was an ‘out of bounds’ memory vulnerability that affected Chrome’s V8 Javascript engine. This type of issue allows an attacker to attack Chrome with maliciously crafted HTML pages.
An out-of-bounds issue risks exposing sensitive information that should not be available, while also causing a system or software crash that could allow an attacker to gain access to that data.
And just 48 hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a ‘type confusion’ vulnerability, which again exposes users to an artificial attack on HTML pages.
Type confusion occurs when software attempts to access incompatible resources without a safety net in place to cushion the risk. The error can put the system in an unexpected state, creating a security risk.
All of these vulnerabilities can destabilize the browser or device, which is concerning in itself, but can also be used to enable other exploits once the system is destabilized.
Most users have Chrome set to update automatically, which should always happen with these types of security updates. But that in itself is not enough. You should always close Chrome completely and restart it to ensure the update is fully installed.
Given the worrying prospects of three zero-days in six days, and the logistics of deploying multiple software releases to so many systems in such a short time, you should manually close and restart Chrome today as the browser’s nightmare week begins hopefully it’s over now. an end.
Even if you think the updates are already installed, it’s a good fail-safe.
I would actually go further this week and also suggest a restart of the device, if that doesn’t cause too many additional problems with other software you are using.
As for Chrome, this shouldn’t cause too many problems. As Google explains, Chrome saves your open tabs and windows and automatically reopens them when it restarts. But this doesn’t include Google’s quasi-private browsing mode. “Your incognito windows won’t reopen when Chrome restarts.”
CISA also warned that the first two vulnerabilities “could affect multiple web browsers using Chromium, including but not limited to Google Chrome, Microsoft Edge, and Opera.”
U.S. federal agencies have until June 3, 6 and 10 respectively to “apply measures according to supplier’s instructions or discontinue use of the product if measures are not available.”
So what to make of this nightmare week for Google and its legions of Chrome users. It’s no surprise that Google gets hit so often. It’s a complex platform and a honeypot for attacks, given the ubiquity of its desktop install base.
Exploits against software that an attacker can assume is on a target device are highly appreciated. All this means significant efforts by good and bad people to find any vulnerabilities. And so here we are.
It’s a bit ironic that just as Chrome’s nightmare week was coming to an end, Google released a white paper titled “a more secure alternative,” in which Microsoft took a stab at it, suggesting that “in the wake of significant cybersecurity incidents involving Microsoft, Google Workspace offers a safer choice.”
Chrome is not a Workspace and the white paper focused on advanced cyber attacks rather than just exploited vulnerabilities. But let’s not forget that one thing leads to another.
And aside from the details, the timing is visually awkward to say the least. Maybe the PR department could have held that off for a few days. We do not yet know the extent of any attacks or whether the disclosure of the exploits was related to a specific campaign.
The good news, however, is that Google’s emergency updates were very timely this time, to the extent that they made headlines around the world. Now all you have to do is do your part.