Updated on June 3 after a warning about cookie theft.
For Google Chrome and its more than 2 billion desktop users, May will go down as a month to forget: four zero days and urgent update warnings within 10 days set off a tidal wave of wall-to-wall headlines that were hard to miss.
The US government has warned federal officials to install the May emergency updates or stop using Chrome. They issued a deadline of June 3 for the first of those updates and June 6 for the second. June 3rd has already passed, so you should have already applied the first update. This is a timely reminder that you must ensure that you have applied another update within the next 72 hours. Clearly, when you update your browser, all fixes up to that point will be applied.
Other organizations should do the same and mandate full compliance by employees as well as personal users. Google rushed the hotfixes for a reason.
The US government’s warnings come via its Cybersecurity and Infrastructure Security Agency, which added May’s Chrome warnings to its catalog of known exploited vulnerabilities (KEV), which details «vulnerabilities that have been exploited in the wild.»
June 3rd seems to have been a significant day for Chrome. Not only was it the US government’s first update outage, but it’s also the day Google began phasing out many of Manifesto V2’s extensions as its Manifesto V3 rollout takes shape.
While this will affect multiple developers and businesses, headlines have focused on the detrimental effect it will have on ad blockers, who will have to adopt a complex workaround to work as they do now. There is a risk that users reading these headlines may delay updating their browser to prevent ad blocker problems; you really shouldn’t go this route—security updates are critical.
While Google gets credit for the speed and efficiency in releasing and announcing the May update, the change to Manifesto V2 will generate more mixed feedback from users. As Ars Technica reports, «the deeply controversial Manifest V3 system was announced in 2019, and the full transition has been delayed a million times, but now Google says it’s actually going to make the transition.»
None of this should prevent users from applying the emergency update immediately, if they haven’t already. There remains an urgency for users worldwide to ensure they have installed updates. Chrome will update automatically, but users must then close and restart their browsers to make sure the update is fully applied.
Also on June 3rd, Chrome users browsing news feeds will see disturbing headlines when a bitcoin trader claimed to have lost $1 million after Chrome’s security cookies were stolen from his system to bypass his login and 2FA credentials
While news of Manifesto V2 might wrongly prompt Chrome users to delay updates, Binance’s alleged compromise might do the opposite. Both would be wrong. This alleged attack used a malicious plugin that exfiltrated session cookies from the merchant’s computer, replicating his login to another device. This is not a Chrome vulnerability that any patch can fix, and users need to be aware of two things.
The first is to be careful about the add-ons and extensions they install on their computers—the same maintenance rules apply as for any applications you might install. be aware of the source of such applications. Everything you install is a potential threat.
The second relates to the way Chrome works. You may have seen news over the past few years about Google’s long-delayed plan to end the nasty little tracking cookies that follow users around the web, from page to page. Those cookies are the fuel that powers the global network marketing machine, reporting where you go and what you do, allowing ads to target your tastes and foibles.
But there is a friendlier version of those tracking cookies, and these session cookies ensure that you can be remembered when you visit the site again, and most importantly, you don’t have to log in every time you do. «remember me» and «trust this browser» notifications make all of this work.
The challenge – as seen in this latest report – is that if you steal those cookies, you can potentially replicate the user’s secured session on another device. Many users around the web are victims of cookie-stealing malware,” Google warned, “giving attackers access to their web accounts. Malware-as-a-service (MaaS) operators often use social engineering to spread cookie-stealing malware.”
The good news is that Google has a fix that should be available soon. «We’re prototyping a new web feature called Device Bound Session Credentials (DBSC) that will help protect users from cookie theft,» Google announced in April. «By tying authentication sessions to a device, DBSC aims to disrupt the cookie-stealing industry since exfiltrating those cookies will no longer have any value.»
In the meantime, let’s deal with the here and now. With Chrome’s emergency update process paused, at least for now, now is a good time to issue reminders and implement any automated processes available to you across your organization. Clearly, home users should update as well.
Google has confirmed that the two vulnerabilities under CISA’s June 3 and June 6 deadlines have known exploits found in the wild—hence the urgent updates. The first vulnerability, “Use after free in Visuals,” was reported on May 9 and added to KEV on May 13. «Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit crowd corruption via crafted HTML pages,» CISA warns. «This vulnerability could affect multiple web browsers that use Chromium, including… Google Chrome, Microsoft Edge, and Opera.»
The second update, expected on June 6, is another memory issue – CVE-2024-4761, «The Google Chromium V8 Engine contains an unspecified out-of-memory write vulnerability via a crafted HTML page,» CISA explained.
Exploiting both issues could allow an attacker to take control of your platform or device, either directly or as part of a chained attack. Targeting memory vulnerabilities opens the door to either running arbitrary code or destabilizing your system.
For both known exploit vulnerabilities, CISA directed federal government employees to «apply mitigations as directed by the vendor or stop using the product if mitigations are unavailable.» This means making sure Chrome’s update has arrived and is installed. While CISA’s June 3 and June 6 deadlines apply specifically to US federal agencies, all other public and private sector organizations do the same.
If your system is old or of a type that no longer supports Chrome updates, you should delete your browser rather than risk an exploit.
Chrome’s other zero days that entered KEV in May — CVE-2024-4947 and CVE-2024-5274 — require updates or revocation by June 10 and June 16, respectively. Clearly, applying the update now should ensure that all mitigations are applied. Make sure to update your browser to 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux—at least.