It’s been a nightmare week for Google and its more than 2 billion Chrome desktop users. The US government has added a third serious zero-day security threat to its central catalog of vulnerabilities known to be behind active attacks. Six more vulnerabilities have now also been fixed.
You really need to ensure that your browser updates successfully—so here’s what you need to do…
Multiple “update now” warnings have been issued to billions of Chrome users
Updated May 22, with Google’s fourth Chrome security update in less than ten days.
What a week it’s been for Google Chrome. If you’re one of the billions who use Chrome as their desktop browser, then the optics of three actively exploited vulnerabilities being confirmed within six days will be a major concern. And rightly so—Chrome is clearly under attack.
And then, before the ink was dry on those three emergency updates, a fourth update arrived, this time with six additional important security fixes. The latest update, which brings Chrome’s stable channel to 125.0.6422.76/.77 for more than two billion Windows and Mac desktop users, is rolling out now.
Of those six fixes, four followed external vulnerability reports, as follows:
- highly CVE-2024-5157: Use after free in schedule. Reported by Looben Yang
- highly CVE-2024-5158: Type confusion in V8. Reported by Zhenghang Xiao
- highly CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers
- highly CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz
As usual, even when an active exploit is not discovered, Google notes that “access to bug details and links may be restricted until the majority of users update with a fix. We will also maintain restrictions if the bug exists in a third-party library that other projects on similar mode dependent, but not fixed yet.” In short, the biggest risk is when there is an acknowledged problem and a fix, but that fix has not yet been applied by most users — the clock is ticking.
The latest updates don’t have the headline-grabbing status of last week’s, which also followed outside reports, but Google still paid for the reports.
All four known vulnerabilities follow the same pattern as the last three—memory issues, where the vulnerability can be targeted to destabilize the system and potentially open access to running code or read memory that should have been locked.
Post-free usage and type confusion issues affecting the core JavaScript engine are common, and Google has acknowledged this. The two heap overflow problems are variations on the same memory theme.
Normally, Google’s warning about the current update would generate more headlines of its own, but the web is still abuzz with news in the previous days of those three emergency updates, one after the other, all of which have spawned active exploits and the US government is adding them to its active threat database, with the update or by a cease-and-desist notice to all federal agencies.
When we talk about Google Chrome, the dominant desktop browser, that’s the thing.
The database in question is CISA—the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as input into their vulnerability management priority framework.”
As for what users are doing now—it’s not enough to let your browser update automatically—you must actively ensure that the update is installed with one simple action, as explained below.
Chrome’s first “update now” warning came on May 9, with Google warning that it is “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was an “exploit after free” issue, where pointers to freed memory are not deleted and can therefore be abused.
As Kaspersky warns, “an attacker can use UAFs to pass arbitrary code—or a reference to it—to a program and navigate to the beginning of the code using a dangling pointer. In this way, executing malicious code can allow a cybercriminal to take control of a victim’s system.”
But before most users were even aware of the problem, attack number two arrived. On May 13, CVE-2024-4761 was promoted by Google to warn that an exploit had been found in the wild. This time it was an “out of bounds” memory vulnerability affecting Chrome’s V8 Javascript engine. This type of issue allows an attacker to target Chrome with maliciously crafted HTML pages.
An out-of-bounds problem risks exposing sensitive information that shouldn’t be available, while also risking a system or software crash that could give an attacker access to that data.
And then just 48 hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability, which again exposes users to a crafted HTML page attack.
Type confusion occurs when software tries to access incompatible resources without a safety net to catch the risk. An error can push the system into an unexpected state, opening up a security threat.
All of these vulnerabilities can destabilize a browser or device, which is a concern in itself, but they can also be used to launch other exploits once the system is destabilized.
Most users will have Chrome set to auto-update, which it should always do for security updates of this type anyway. But that in itself is not enough. You should always close and restart Chrome completely to make sure the update is fully installed.
Given the troubling optics of three zero days in six days, and the logistics of deploying multiple software releases to so many systems in such a short period of time, you should manually close and restart Chrome today, with a browser nightmare week hopefully now in end.
Even if you think the updates are already installed, it’s a good failsafe.
I’d actually go further this week and also suggest rebooting your device—if it doesn’t cause too many ancillary problems with other software you’re using.
As for Chrome, it shouldn’t be too much of a problem. As Google explains, Chrome “saves your open tabs and windows and automatically reopens them when it’s restarted.” But that doesn’t include Google’s quasi-private browsing mode. “Your incognito windows will not reopen when Chrome restarts.”
CISA also warned that the first two vulnerabilities “could affect multiple web browsers using Chromium, including but not limited to Google Chrome, Microsoft Edge and Opera.”
US federal agencies have until June 3, 6 and 10 to “apply mitigations as directed by the supplier or discontinue use of the product if mitigations are not available.”
So what to make of this nightmarish week for Google and its vast number of Chrome users. It’s no surprise that Google has been hit so many times, it’s a complex platform and a haven for attacks given the ubiquity of its desktop install base.
Exploits against any software that an attacker can assume will be on a target device are highly valued. All of this means significant efforts by the good guys and the bad guys to find any vulnerabilities. And so here we are.
It’s somewhat ironic that just as Chrome’s nightmare week came to an end, Google released a white paper titled “a safer alternative,” attacking Microsoft and suggesting that “after significant cybersecurity incidents with Microsoft, Google Workspace offers a safer choice.”
Chrome is not Workspace and the white paper focused on sophisticated cyber attacks, not just exploiting vulnerabilities. But let’s remember, one thing leads to another.
And details aside, the optical timing is a little tricky to say the least. Maybe the PR department could only hold it for a few days. We do not yet know the scope of the attack and whether the exploit disclosure is linked to any specific campaign.
The timing is even worse given the AI criticism that Chrome is also receiving after Google’s recent updates. “Google search is no longer an algorithm that displays relevant results based on a few keywords you type into the search box,” Windows Central explains. “Instead, it’s a system that relies on artificial intelligence to reason about search intent to provide the most relevant answer. However, while the company says the new system offers a better experience, incorrect results continue to grow, especially in the latest ‘AI Overview’ feature designed to display complete answers.”
The site offers instructions on how to disable these new AI results, which not only have accuracy issues – which is bad enough in itself, of course – but also open a Pandora’s box of AI data and user privacy, which should be a bigger concern for users because artificial intelligence is changing so many of these platforms and services.
While you’re restarting your browser to make sure the updates are installed, you can also look at other settings—it never hurts to sift through the regular security and privacy settings.
As for Chrome security, the good news is that the emergency updates were very timely this time – to the point that they made headlines around the world. Now you just need to contribute.