Users now have less than 72-hours to either update or quit Chrome
Updated June 3 following cookie theft warnings.
For Google Chrome and its 2 billion-plus desktop users, May will go down as a month to forget: four zero-days and emergency update warnings inside 10 days launched a tidal wave of wall-to-wall headlines that were hard to miss.
The U.S. government has warned federal employees to install May’s emergency updates or to cease using Chrome. They issued a June 3 deadline for the first of those updates to be applied and a June 6 update for the second. June 3 has now passed, and so you should have already applied the first update. This is a timely reminder that you must ensure you have applied the second update within the next 72 hours. Clearly, when you update your browser, all fixes to that point will be applied.
Others organizations should do the same and mandate full employee compliance, as should personal users. Google rushed out emergency fixes for a reason.
The U.S. government warnings come via its Cybersecurity and Infrastructure Security Agency, adding May’s Chrome warnings to its Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
It looks like June 3 has been a significant day all round for Chrome. Not only was that the U.S. government’s first update cutoff, but it’s also the day Google started to pull the plug on many Manifest V2 extensions as its rollout of Manifest V3 takes shape.
While this will affect multiple developers and enterprises, headlines have focused on the detrimental effect this will have on ad blockers, which will need to adopt a complex workaround to work as now. There is a risk that users reading those headlines might seek to delay updating their browser, to prevent any ad blocker issues; you really shouldn’t go down this road—the security update is critical.
While Google gets credit for the speed and efficiency in releasing and announcing May’s emergency updates, the Manifest V2 change will generate more mixed user feedback. As Ars Technica reports, “the deeply controversial Manifest V3 system was announced in 2019, and the full switch has been delayed a million times, but now Google says it’s really going to make the transition.”
None of this should stop users from applying the emergency update immediately, if they haven’t already. There remains an urgency for users worldwide to ensure they’ve installed the updates. Chrome will update automatically, but users must then close and relaunch their browsers to ensure the update has been fully applied.
Also on June 3, Chrome users browsing the newsfeeds will have seen worrying headlines when a bitcoin trader claimed he lost $1 million following the theft of Chrome security cookies from his system to bypass his login and 2FA credentials
While the Manifest V2 news might wrongly encourage Chrome users to delay their updates, the alleged Binance compromise might do the opposite. Both would be wrong. This alleged attack leveraged a malicious plugin that exfiltrated session cookies from the trader’s PC, replicating his login on another device. This isn’t a Chrome vulnerability any patch can fix, and users need to be aware of two things.
The first is being mindful of the plugins and extensions they install on their PCs—the same housekeeping rules apply as for any apps you might install. be very mindful of the source of such applications. Anything you install is a potential threat.
The second goes to the way in which Chrome works. You may have seen news over recent years of Google’s long-delayed plan to kill off the nasty little tracking cookies that follow users across the web, from site to site. Those cookies are the fuel that drives the global online marketing machine, reporting back on where you go and what you do, enabling ads to target your tastes and weaknesses.
But there’s a friendlier version of those tracking cookies, and these session cookies ensure you can be remembered when you revisit a site, and critically that you don’t need to login each time you do. The “remember me” and “trust this browser” notifications make all this work.
The challenge—as seen in this latest report—is that if you steal those cookies, you can potentially replicate the user’s secured session on a different device. Many users across the web are victimized by cookie theft malware,” Google has warned, “giving attackers access to their web accounts. Operators of Malware-as-a-Service (MaaS) frequently use social engineering to spread cookie theft malware.”
The good news is that Google has a fix that should be coming soon. “We’re prototyping a new web capability called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft,” Google announced in April. “By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.”
Meanwhile, let’s deal with the here and now. With the procession of emergency Chrome updates having paused, at least for now, it’s a good time to issue reminder communications and apply whatever automated processes you have available across your organization. Clearly, home users should update as well.
Google has acknowledged that the two vulnerabilities per CISA’s June 3 and June 6 deadlines have known exploits found in the wild—thus the emergency updates. The first vulnerability, a “Use after free in Visuals,” was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page,” CISA warns. “This vulnerability could affect multiple web browsers that utilize Chromium, including… Google Chrome, Microsoft Edge, and Opera.”
The second update, due June 6, is another memory issue—CVE-2024-4761, “Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page,” CISA explained.
Exploitation of both issues could allow an attacker to take control of your platform or device, either directly or as part of a chain attack. Targeting memory vulnerabilities opens the door to either running arbitrary code or destabilizing your system.
For both known exploitation vulnerabilities, CISA has instructed federal government employees to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” That means ensuring Chrome’s update has landed and installed. While CISA’s June 3 and June 6 deadlines specifically apply to U.S. federal agencies, all other public and private sector organizations do the same.
If your system is of an age or type that no longer supports Chrome updates, you should delete the browser rather than run the risk of exploitation.
The other Chrome zero-days that made their way into KEV in May—CVE-2024-4947 and CVE-2024-5274—require updates or discontinuance by June 10 and June 16, respectively. Clearly, applying an update now should ensure all mitigations have been applied. Ensure your browser updates to 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux—at least.
Michael Johnson is a tech enthusiast with a passion for all things digital. His articles cover the latest technological innovations, from artificial intelligence to consumer gadgets, providing readers with a glimpse into the future of technology.
