This week has been a nightmare for Google and its more than 2 billion Chrome desktop users. The US government has added a third major zero-day security threat to its central catalog of vulnerabilities known to be behind active attacks. Six additional vulnerabilities have now also been fixed.
You really need to ensure that your browser is successfully updated – so here’s what to do…
Several “Update Now” alerts have been issued to billions of Chrome users
Updated May 22 with Google’s fourth Chrome security update in less than ten days.
What a week it’s been for Google Chrome. If you’re one of the billions who use Chrome as their desktop browser, then the prospect of three actively exploited vulnerabilities confirmed in six days is going to be a big deal. And rightly so – Chrome is clearly hacked.
And then, when the ink wasn’t dry on those three emergency updates, a fourth update arrived, this time with six more important security fixes. The latest update, which brings the stable Chrome channel to 125.0.6422.76/.77 for over two billion Windows and Mac desktop users, is now available.
Of these six fixes, four were followed by external vulnerability reports, as follows:
- High CVE-2024-5157: Use after free time in Scheduling. Reported by Looben Yang
- High CVE-2024-5158: Type confusion in V8. Zhenghang Xiao informed
- High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers
- High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz
As usual, even if an active exploit has not been discovered, Google notes that “access to bug details and links may be restricted until most users are updated with the patch. We will also maintain the limitation if the bug exists in a third-party library that other projects similarly depend on, but which has not yet been fixed.” In short, the maximum risk is when there is an acknowledged problem and a fix, but the fix has not yet been applied by most of users – the clock is ticking.
The latest updates don’t have the headline status of last week’s, which were also based on external reports, but Google still paid for the reports.
All four known vulnerabilities follow the same pattern as the last three – memory issues where the vulnerability can be targeted to destabilize the system and potentially open access to running code or read memory that should be locked.
After-hours use and type confusion issues affecting JavaScript core are common and acknowledged by Google. The two heap overflow problems are variations on the same memory theme.
Normally, an update that now warns Google would generate more headlines of its own, but the wires are still buzzing with news in the days leading up to these three emergency updates, one after the other, all of which have spawned active exploits and the US government will add them to its database of active threats with an update or by ceasing the use of alerts for all federal agencies.
When we’re talking about Google Chrome, the dominant desktop browser, that’s the thing.
The affected database is CISA – the US Cybersecurity and Security Agency’s catalog of known exploited vulnerabilities (KEV). This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as input to their framework for prioritizing vulnerability management.”
As for what users are doing now – it’s not enough to let the browser update automatically – you have to actively make sure the update has been installed with one simple action as explained below.
Chrome’s first “update now” warning came on May 9, with Google warning that it is “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was a “use-after-free” issue where pointers to freed memory are not removed and thus can be exploited.
As Kaspersky warns, “an attacker can use UAF to pass arbitrary code—or a reference to it—into a program and jump to the beginning of the code using a dangling pointer. In this way, the execution of malicious code can allow a cybercriminal to gain control of the victim’s system.”
However, before most users were aware of the problem, attack number two arrived. On May 13, it was CVE-2024-4761 that Google promoted to warn that an exploit had been found in the wild. This time it was an “out of bounds” memory vulnerability that affected Chrome V8’s Javascript engine. This type of issue allows an attacker to target Chrome with malicious HTML pages.
An out-of-scope issue risks exposing sensitive information that shouldn’t be available, as well as the risk of a system or software failure that would allow an attacker to access that data.
And just 48 hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability that again exposes users to an HTML page attack.
Type confusion occurs when software tries to access incompatible resources without a safety net to catch the risk. A bug can put the system in an unexpected state and open up a security threat.
All of these vulnerabilities can destabilize a browser or device, which is a concern in itself, but they can also be used to launch other exploits after destabilizing the system.
Most users will have Chrome set to auto-update, which it should always do for security updates of this kind anyway. But that alone is not enough. You should always close and restart Chrome completely to ensure the update is fully installed.
Given the disturbing optics of three zero days in six days and the logistics of deploying multiple versions of software to so many systems in such a short period of time, you should manually close and restart Chrome today, with the browser nightmare week hopefully now over.
Even if you think the updates have already been installed, this is a good failsafe.
In fact, I’d go even further this week and suggest rebooting the device as well – as long as it doesn’t cause too many side problems with other software you have running.
As for Chrome, it shouldn’t cause too many problems. As Google explains, Chrome “saves your open tabs and windows and automatically reopens them when you restart.” However, this does not include Google’s quasi-private browsing mode. “Your incognito windows won’t reopen after Chrome restarts.”
CISA also warned that the first two vulnerabilities “may affect multiple web browsers that use Chromium, including but not limited to Google Chrome, Microsoft Edge and Opera.”
US federal agencies have until June 3, 6 and 10, respectively, to “apply mitigations as directed by the supplier or discontinue use of the product if mitigations are not available.”
So what to make of this nightmare week for Google and its vast number of Chrome users? It’s no surprise that Google has been hit so many times, it’s a complex platform and a hotbed for attacks given the ubiquity of its desktop install base.
Exploiting any software that an attacker might expect to be on the target device is highly prized. All this means considerable effort by the good man and the bad man to find any vulnerabilities. And so here we are.
It’s a bit ironic that just as Chrome’s nightmare week was coming to an end, Google released a white paper called “A Safer Alternative” that attacked Microsoft and suggested that “in the wake of significant cyber incidents with Microsoft, Google Workspace offers a more secure option.”
Chrome is not a workspace, and the white paper focused on sophisticated cyberattacks rather than simply exploiting vulnerabilities. But remember, one thing leads to another.
And aside from the details, the timing is optically at least somewhat awkward. Maybe the PR department could only hold it back for a few days. We do not yet know the extent of any attacks and whether the discovery of exploits was related to any specific campaign.
The timing is even worse given the AI criticism Chrome has been receiving since Google’s recent updates. “Google search is no longer an algorithm that displays relevant results based on a few keywords you type into the search box,” explains Windows Central. “Instead, it’s a system that relies on artificial intelligence to reason about search intent to provide the most relevant answer. While the company says the new system offers a better experience, inaccurate results are still on the rise, especially in the latest ‘AI Overview’ feature, which is supposed to display full answers.”
This page provides guidance on how to disable these new AI results, which not only have accuracy issues – bad enough on their own, but also open a Pandora’s box of AI data and user privacy that is set to necessitate greater user concern because AI they are changing so many of these platforms and services.
While you’re restarting your browser to make sure the updates have installed, you can also take a look at other settings – it never hurts to check your security and privacy settings regularly.
When it comes to Chrome security, however, the good news is that the emergency updates were very timely this time – to the point that they made headlines around the world. Now just do your bit.