Users now have less than 72 hours to update or quit Chrome.
Updated June 3 following cookie theft warnings.
For Google Chrome and its more than 2 billion desktop users, May will be a month to forget: four zero-day and emergency update warnings in 10 days have launched a wave of -tide of hard-to-miss headlines.
The US government has warned federal employees to install May’s emergency updates or stop using Chrome. They set a deadline of June 3 for the application of the first of these updates and June 6 for the second. June 3 has now passed, so you should have already applied the first update. This is a timely reminder that you should make sure you have applied the second update within the next 72 hours. Obviously, when you update your browser, all the fixes made to this point will be applied.
Other organizations should do the same and require full compliance from employees, just like personal users. Google released emergency patches for good reason.
The US government’s warnings come from the Cybersecurity and Infrastructure Security Agency, adding the May Chrome warnings to its Catalog of Known Exploited Vulnerabilities (KEV), which details “vulnerabilities that have been exploited in the wild.”
It seems like June 3 was a big day for Chrome. Not only was it the US government’s first update deadline, but it was also the day Google began pulling the plug on many Manifest V2 extensions as the Manifest V3 rollout takes shape.
While this will affect several developers and businesses, headlines have focused on the detrimental effect this will have on ad blockers, who will need to adopt a complex workaround to function as they do today. There is a risk that users reading these headlines may seek to delay updating their browser to avoid any ad blocking issues; you really shouldn’t go this route: the security update is essential.
While Google is known for the speed and efficiency of releasing and announcing the May emergency updates, the Manifest V2 change will generate more mixed user feedback. As Ars Technica reports that “the highly controversial Manifest V3 system was announced in 2019, and the full change has been delayed a million times, but now Google says it’s actually going to make the transition.” »
None of this should prevent users from applying the emergency update immediately, if they haven’t already done so. It remains urgent for users around the world to ensure they have installed updates. Chrome will update automatically, but users should then close and relaunch their browser to ensure the update has been fully applied.
Also on June 3, Chrome users scrolling through news feeds will have seen some worrying headlines when a Bitcoin trader claimed to have lost $1 million after Chrome security cookies were stolen from his system to bypass his login login and its 2FA credentials.
While the Manifest V2 news could wrongly encourage Chrome users to delay their updates, the alleged Binance compromise could have the opposite effect. Both would be wrong. This alleged attack leveraged a malicious plugin that exfiltrated session cookies from the merchant’s PC, thus replicating their login on another device. This is not a Chrome vulnerability that a patch can fix, and users should be aware of two things.
The first is to be attentive to the plugins and extensions that they install on their PC: the same management rules apply to all the applications that you might install. be very careful about the source of these applications. Anything you install is a potential threat.
The second is how Chrome works. You may have heard in recent years about Google’s long-delayed plan to eliminate nasty little tracking cookies that follow users around the web, from site to site. These cookies are the fuel that powers the global online marketing machine, telling you where you go and what you do, allowing ads to target your likes and weaknesses.
But there is a more user-friendly version of these tracking cookies, and these session cookies ensure that you can remember when you revisit a site and, most importantly, that you don’t need to log in every time you do so. . The “remember me” and “trust this browser” notifications make this all work.
The challenge, as this latest report shows, is that if you steal these cookies, you can potentially replicate the user’s secure session on another device. Many users across the web are falling victim to cookie-stealing malware,” Google warned, “allowing attackers to access their web accounts. Malware-as-a-Service (MaaS) operators frequently use social engineering to spread cookie-stealing malware.
The good news is that Google has a fix that should arrive soon. “We are prototyping a new web feature called Device Bound Session Credentials (DBSC) that will help protect users against cookie theft,” Google announced in April. “By tying authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since the exfiltration of these cookies will no longer have any value.”
In the meantime, let’s talk about the here and now. With Chrome’s emergency update process on hold, at least for now, now is a good time to issue reminder communications and apply any automated processes you have in your organization. Obviously, home users should also update.
Google acknowledged that both vulnerabilities, per CISA’s June 3 and June 6 deadlines, had known exploits found in the wild, hence the emergency updates. The first vulnerability, “Use after free in Visuals,” was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted vulnerability. HTML page,” warns CISA. “This vulnerability could affect multiple web browsers that use Chromium, including… Google Chrome, Microsoft Edge, and Opera.”
The second update, scheduled for June 6, addresses another memory issue: CVE-2024-4761, “Google Chromium V8 engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page”, explained CISA.
Exploiting these two issues could allow an attacker to take control of your platform or device, either directly or as part of a chain attack. Targeting memory vulnerabilities opens the door to executing arbitrary code or destabilizing your system.
For the two known exploit vulnerabilities, CISA directed federal government employees to “apply mitigation measures in accordance with the vendor’s instructions or cease use of the product if mitigation measures are not available “. This means making sure the Chrome update has been downloaded and installed. Although CISA’s June 3 and 6 deadlines apply specifically to U.S. federal agencies, all other public and private sector organizations do the same.
If your system is of an age or type that no longer supports Chrome updates, you should remove the browser rather than run the risk of exploitation.
The other Chrome zero-days that made their way into KEV in May (CVE-2024-4947 and CVE-2024-5274) require updates or disruption by June 10 and June 16, respectively. Obviously, applying an update now should ensure that all mitigations have been applied. Make sure your browser is updated to 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux, at least.