Google Chrome under attack – emergency update for 2 billion users

It’s been a nightmare week for Google and its more than 2 billion desktop Chrome users. The US government has added a third serious zero-day security threat to its central catalog of vulnerabilities known to be behind active attacks. Now, six more vulnerabilities have also been patched.

You really need to make sure that your browser has been updated successfully – so here’s what you need to do…

Updated on May 22nd. with Google’s fourth Chrome security update in less than ten days.

What a week it has been for Google Chrome. If you’re one of the billions who use Chrome as their default desktop browser, the optics of three actively exploited vulnerabilities confirmed within six days will be a major concern. And rightly so – Chrome is clearly under attack.

And then, just as the ink wasn’t dry on these three emergency updates, a fourth update arrived, this time with six more important security fixes. The latest update, bringing Chrome’s stable channel to 125.0.6422.76/.77 for its over two billion Windows and Mac desktop users, is now rolling out.

ForbesGoogle’s new AI feature is “incredibly dangerous,” Android users warnedFrom Zak Doffman

Of these six fixes, four followed external vulnerability reports as follows:

1. High CVE-2024-5157: Use after free usage in planning. Report by Looben Yang
2. High CVE-2024-5158: Type confusion in V8. Reported by Zhenghang Xiao
3. High CVE-2024-5159: Heap buffer overflow in ANGLE. By David Sievers
4. High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz

Even if an active exploit has not been discovered, Google notes as usual that “access to bug details and links may remain restricted until the majority of users are updated with a fix. We will also keep restrictions in place if the bug occurs in a third-party library that other projects similarly depend on but that has not yet been fixed.” In short, the greatest risk is when an issue is discovered and fixed, but the majority of users have not yet applied that fix – the clock is ticking.

While the latest updates don’t have the headline-grabbing status of last week’s updates, which also came about as a result of outside reporting, Google still paid for the reporting.

All four known vulnerabilities follow the same pattern as the last three – memory issues where a vulnerability can be attacked to destabilize the system and potentially allow access to running code or read memory that should have been locked.

Use after free and type confusion issues impacting the core JavaScript engine are widespread and Google has confirmed this. The two heap overflow problems are variations on the same memory theme.

Normally an update now warning from Google would grab more headlines, but the news is still buzzing with news from the past few days about these three emergency updates in a row, all of which had spawned active exploits in the U.S. The government is adding them to their active Threat database, with an update or warning to discontinue use for all federal agencies.

When it comes to Google Chrome, the dominant desktop browser, that’s one thing.

The database in question is CISA – the US Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. This catalog lists “vulnerabilities that have been exploited in the wild…Organizations should use the KEV catalog as input to their vulnerability management prioritization framework.”

What users do now – it’s not enough to let your browser update automatically – you need to actively ensure that the update has been installed with a simple action as explained below.

Chrome’s first “Update Now” warning came on May 9, with Google warning that it was “known to have an exploit circulating for CVE-2024-4671.” The vulnerability was a “use after free” issue, where pointers to freed memory are not deleted and can therefore be misused.

Kaspersky warns: “An attacker can use UAFs to pass arbitrary code – or a reference to it – to a program and use a dangling pointer to navigate to the beginning of the code. In this way, execution of the malicious code can allow the cybercriminal to gain control of a victim’s system.”

But before most users were even aware of the problem, attack number two arrived. On May 13, it was CVE-2024-4761 that Google used to warn that an exploit had been found in the wild. This time it was an “out of bounds” memory vulnerability affecting Chrome’s V8 JavaScript engine. This type of issue allows an attacker to attack Chrome with maliciously crafted HTML pages.

An out-of-bounds issue risks exposing sensitive information that shouldn’t be available, while also running the risk of a system or software crash that could potentially allow an attacker to gain access to that data.

And then, just 48 hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability, which again exposes users to an attack of crafted HTML pages.

Type confusion occurs when software attempts to access incompatible resources without a safety net in place to mitigate the risk. The error can cause the system to enter an unexpected state and pose a security threat.

All of these vulnerabilities can destabilize the browser or device, which is worrying in itself, but can also be used to allow other exploits to run once the system is destabilized.

Most users have Chrome set to update automatically, which should always be the case with security updates of this type anyway. But that alone is not enough. You should always close Chrome completely and restart it to ensure the update has fully installed.

Given the troubling impact of three zero-day attacks in six days and the logistical challenge of deploying multiple software versions to so many systems in such a short period of time, you should manually close and restart Chrome today, because it’s now the browser’s nightmare week hopefully over.

Even if you think the updates are already installed, it’s a good failsafe.

I’d actually go a step further this week and suggest restarting the device too – as long as it doesn’t cause too many additional problems with the other software you’re running.

As far as Chrome is concerned, this shouldn’t cause too many problems. As Google explains, Chrome “saves your open tabs and windows and automatically reopens them when you restart.” However, this does not apply to Google’s quasi-private browsing mode. “Your incognito windows will not reopen when you restart Chrome.”

CISA also warned that the first two vulnerabilities “could affect multiple web browsers that use Chromium, including but not limited to Google Chrome, Microsoft Edge, and Opera.”

Federal regulators have until June 3, 6 and 10, respectively, to “take remedial action in accordance with the provider’s instructions or discontinue use of the product if remedial action is not available.”

So what to make of this nightmare week for Google and its large number of Chrome users? It’s no surprise that Google is affected so often, as it is a complex platform and a honeypot for attacks given the ubiquity of its desktop install base.

Exploits against any software that an attacker can reasonably assume is on a target device are highly valued. All of this requires significant effort on the part of both good and bad guys to find vulnerabilities. And here we are.

It’s a little ironic that just as Chrome’s nightmare week was coming to an end, Google released a white paper called “A Safer Alternative” in which it takes a look at Microsoft and suggests that “in the wake significant cybersecurity incidents at Microsoft Google Workspace offers a safer choice.”

Chrome is not a workspace, and the white paper focused on sophisticated cyber attacks rather than just exploited vulnerabilities. But remember, one thing leads to another.

And details aside, the timing is a bit visually awkward to say the least. Maybe the PR department could have held off on this for a few days. We don’t yet know how large the attacks were or whether the discovery of the exploits was related to a specific campaign.

The timing is made even more acute given the AI ​​criticism that Chrome is also receiving following Google’s recent updates. “Google search is no longer an algorithm that returns relevant results based on a few keywords you type into a search box,” explains Windows Central. “Instead, it is a system that relies on AI to reason search intent and deliver the most relevant answer. “But even though the company says the new system offers a better experience, inaccurate results are becoming increasingly common, particularly in the latest AI Overview feature, which is designed to show complete answers.”

ForbesWhatsApp unveils clever new feature to ensure your secrets stay privateFrom Zak Doffman

The website offers instructions on how to disable these new AI results, which not only have problems with accuracy – which is bad enough in itself – but also open a Pandora’s box of AI data and user privacy that still There is likely to be greater concern for users as AI transforms so many of these platforms and services.

While you restart the browser to make sure the updates have been installed, you can also check other settings – it never hurts to check your security and privacy settings regularly.

There is good news when it comes to Chrome security, though: the emergency updates came so timely this time that they made headlines around the world. Now all you have to do is do your part.