This has been a nightmare week for Google and its more than 2 billion desktop Chrome users. The US government has now added a third serious zero-day security threat to its central catalog of Chrome vulnerabilities that are known to be behind active attacks.
You need to ensure your browser has been updated successfully—here’s what you do…
Multiple “update now” warnings issued for billions of Chrome users
Updated 5/20 with the addition of a third Google vulnerability to CISA’s known exploit catalog, with federal agencies being given until June 10 to update every one of their Chrome instances.
What a week this has been for Google Chrome. If you’re one of the billions defaulting to Chrome as your desktop browser, then the optics of three actively exploited vulnerabilities being confirmed inside six days will be a major concern. And rightly so—Chrome is clearly under attack.
All three vulnerabilities have now been added to CISA—the US Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
It’s not enough to let your browser update automatically—you need to actively ensure the update has been installed with one simple action, as explained below.
Chrome’s first “update now” warning came on May 9, with Google warning it was “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was a “use after free” issue, where pointers to vacated memory are not deleted and so can be abused.
As Kaspersky warns, “an attacker can use UAFs to pass arbitrary code—or a reference to it—to a program and navigate to the beginning of the code by using a dangling pointer. In this way, execution of the malicious code can allow the cybercriminal to gain control over a victim’s system.”
But before most users were even aware of the issue, along came attack number two. On May 13, it was CVE-2024-4761 that promoted Google to warn an exploit had been found in the wild. This time it was an “out of bounds” memory vulnerability affecting Chrome’s V8 Javascript engine. This type of issue enables an attacker to target Chrome with maliciously crafted HTML pages.
An out of bounds issue risks exposing sensitive information that should not be available while also risking a system or software crash that might allow an attacker to access that data.
And then just 48-hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability, which again exposes users to a crafted HTML page attack.
Type confusion occurs when software attempts to access incompatible resources without a safety net in place to trap the risk. The error can push the system into an unexpected state, opening a security threat.
All of these vulnerabilities can destabilize the browser or device, which is worrying in itself, but can also be used to enable other exploits to run once the system is destabilized.
Most users will have Chrome set to update automatically, which it should always do for security updates of this kind anyway. But that’s not enough in itself. You should always fully close and relaunch Chrome to ensure the update has fully installed.
Given the worrying optics of three zero-days in six days, and the logistics of deploying multiple software releases to so many systems in such a short period of time, you should manually close and relaunch Chrome today, with the browser’s nightmare week hopefully now at an end.
Even if you think the updates have already installed, it’s a good fail safe.
I would actually go further this week, and also suggest a device reboot—if that doesn’t cause too many ancillary issues with other software you have running.
As regards Chrome, this shouldn’t cause too many problems. As Google explains, Chrome “saves your opened tabs and windows and reopens them automatically when it restarts.” But this doesn’t include Google’s quasi private browsing mode. “Your incognito windows won’t reopen when Chrome restarts.”
CISA has also warned that the first two vulnerabilities “could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.”
US federal agencies have until 3rd, 6th and 10th June respectively to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”
So, what to make of this nightmare week for Google and its vast numbers of Chrome users. It’s no surprise that Google is hit so many times, it’s a complex platform and it’s a honeypot for attacks given the ubiquity of its desktop install base.
Exploits against any software that an attacker can assume will be on a target device are highly prized. All of which means significant good guy and bad guy efforts to find any vulnerabilities. And so here we are.
It’s a little ironic that just as Chrome’s nightmare week came to an end, Google issued a white paper titled “a more secure alternative,” taking a shot at Microsoft, and suggesting that “in the wake of significant cybersecurity incidents with Microsoft, Google Workspace offers a safer choice.”
Chrome isn’t Workspace and the white paper focused on sophisticated cyber attacks rather than merely exploited vulnerabilities. But let’s remember, one leads to the other.
And quite apart from the detail, optically the timing is somewhat awkward to say the least. Perhaps the PR department could have held that back for just a few days. We don’t yet know the extent of any attacks and whether the exposure of the exploits was connected to any specific campaign.
The good news though, is that Google’s emergency updates were very timely this time around—to the extent that it made headlines the world over. Now you just need to do your bit.
