Users now have less than 72 hours to update or quit Chrome
Updated on June 3 after a cookie theft warning.
For Google Chrome and its more than 2 billion desktop users, May will be a month to forget: four zero days and emergency update warnings in 10 days set off a tidal wave of headlines that were hard to miss.
The US government has warned federal employees to install the May emergency updates or stop using Chrome. They issued a date of June 3rd for the first of these updates to be applied and a June 6th update for the second. June 3rd has already passed, so you should already be using the first update. This is a timely reminder to ensure you apply the second update within the next 72 hours. Obviously, when you update your browser, all fixes to this point will be applied.
Other organizations should do the same and mandate full compliance by employees as well as personal users. Google accelerated emergency fixes for a reason.
The US government’s warning comes via the Cybersecurity and Infrastructure Security Agency, adding May’s Chrome warning to its Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
Looks like June 3rd was a big day for Chrome. Not only was this the first update break by the US government, but it’s also the day Google began pulling out the Manifest V2 line of extensions as its Manifest V3 rollout takes shape.
While this will affect several developers and businesses, the headlines have focused on the detrimental effect it will have on ad blockers, who will need to adopt a comprehensive solution to work as they do now. There is a risk that users reading these headlines will want to delay updating their browser to avoid ad blocking issues; you really shouldn’t go down this route – the security update is critical.
While Google is getting credit for speed and efficiency in releasing and announcing May’s emergency updates, the Manifest V2 change will generate more mixed feedback from users. As Ars Technica states: “The deeply controversial Manifest V3 system was announced in 2019 and the full transition has been delayed a million times, but now Google says it will actually make the transition.”
None of this should prevent users from applying the emergency update immediately if they haven’t already. Users around the world are still being urged to make sure they install the updates. Chrome updates automatically, but users must close and restart their browsers to make sure the update has been fully applied.
Also on June 3, Chrome users scrolling through their newsfeeds will see alarming headlines as a Bitcoin trader claimed to have lost $1 million after Chrome security cookies were stolen from his system to bypass his login and 2FA credentials.
While the Manifest V2 news may wrongly encourage Chrome users to delay updates, the alleged Binance compromise may do the opposite. Both would be wrong. This alleged attack utilized a malicious plugin that exfiltrated session cookies from a merchant’s computer and replicated his login to another device. This is not a Chrome vulnerability that any patch can fix, and users need to be aware of two things.
The first is to be mindful of the plugins and extensions they install on their computers – the same rules of cleanliness apply as for any apps you might install. pay close attention to the source of such applications. Anything you install is a potential threat.
The second relates to the way Chrome works. You may have seen news in recent years about Google’s long-delayed plan to remove the nasty little tracking cookies that track users around the web, from site to site. These cookies are the fuel that powers the global online marketing machine, reporting where you go and what you do, allowing ads to target your tastes and weaknesses.
However, there is a friendlier version of these tracking cookies, and these session cookies ensure that you are remembered when you visit the site again, and importantly, you don’t have to log in every time. “Remember me” and “Trust this browser” notifications do all of this.
The problem – as seen in this latest report – is that if you steal these cookies, you can potentially replicate a user’s secure session on another device. Many Internet users are falling victim to cookie-stealing malware,” Google warned, “which gives attackers access to their web accounts. Malware-as-a-Service (MaaS) operators often use social engineering to spread cookie-stealing malware.”
The good news is that Google has a fix that should be available soon. “We’re prototyping a new web feature called Device Bound Session Credentials (DBSC) that will help users be more secure against cookie theft,” Google announced in April. “By tying authentication sessions to devices, DBSC is trying to disrupt the cookie-stealing industry because exfiltrating those cookies will no longer be of any value.”
In the meantime, let’s deal with the here and now. Now that Chrome’s emergency update process has paused, at least for now, it’s a good time to issue an alert and use whatever automated processes you have in place in your organization. It goes without saying that home users should update as well.
Google has acknowledged that the two CISA vulnerabilities on June 3 and June 6 have known exploits found in the wild—that is, emergency updates. The first vulnerability, “Use after free in Visuals”, was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a vulnerability that allows a remote attacker to exploit a heap corruption via an HTML page,” CISA warns. “This vulnerability could affect several web browsers that use Chromium, including… Google Chrome, Microsoft Edge, and Opera.”
The second update, due on June 6, is another memory issue – CVE-2024-4761, “The Google Chromium V8 Engine contains an unspecified memory overflow vulnerability via a crafted HTML page,” CISA explained.
Exploiting both issues could allow an attacker to take control of your platform or device, either directly or as part of a chain attack. Targeting memory vulnerabilities opens the door to executing arbitrary code or destabilizing the system.
For both known vulnerabilities, CISA directed federal government employees to “apply mitigations as directed by the vendor or discontinue use of the product if mitigations are not available.” This means making sure the Chrome update lands and installs. While the June 3 and June 6 CISA deadlines specifically apply to US federal agencies, all other public and private sector organizations are doing the same.
If your system is old or of a type that no longer supports Chrome updates, you should delete the browser rather than risk exploitation.
The other Chrome zero-days that hit KEV in May — CVE-2024-4947 and CVE-2024-5274 — require updates or termination by June 10 and June 16, respectively. Obviously, applying the update now should ensure that all mitigations have been applied. Make sure your browser updates to at least 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux.