This has been a nightmare week for Google and its more than 2 billion desktop Chrome users. The US government has added a third serious zero-day security threat to its central catalog of vulnerabilities that are known to be behind active attacks. Now, six further vulnerabilities have also just been fixed.
You really need to ensure your browser has updated successfully—so here’s what you do…
Updated 5/22, with Google’s fourth Chrome security update in under ten days.
What a week this has been for Google Chrome. If you’re one of the billions defaulting to Chrome as your desktop browser, then the optics of three actively exploited vulnerabilities being confirmed inside six days will be a major concern. And rightly so—Chrome is clearly under attack.
And then, with the ink not yet dry on those three emergency updates, along came a fourth update, this time with six further important security fixes. The latest update, which brings Chrome’s stable channel to 125.0.6422.76/.77 for its two-billion-plus Windows and Mac desktop users, is now rolling out.
Of those six fixes, four followed external vulnerability reports, as follows:
- High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang
- High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao
- High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers
- High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz
As usual, even when an active exploit has not been discovered, Google notes that “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” In short, the maximum risk is when there’s an acknowledged issue and fix, but that fix has not yet been applied by the majority of users—the clock is ticking.
The latest updates don’t have the headline-grabbing status of those from last week, which were also made following external reports, but Google still paid out for the reports.
All four known vulnerabilities follow the same pattern as the last three—memory issues, where a vulnerability can be targeted to destabilize the system and potentially open access to running code or reading memory that should have been locked down.
Use after free and type confusion issues impacting the core JavaScript engine are common, and Google has acknowledged as much. The two heap overflow issues are variations on the same memory theme.
Ordinarily, an update now warning from Google would generate more headlines of its own, but the wires are still buzzing with the news ion the preceding days of those three emergency updates, one after the other, all of which had spawned active exploits and the US government adding them to its active threat database, with an update or stop using warning for all federal agencies.
When it’s Google Chrome we’re talking about, the dominant desktop browser, that’s a thing.
The database in question is CISA—the US Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
As regards what users do now—it’s not enough to let your browser update automatically—you need to actively ensure the update has been installed with one simple action, as explained below.
Chrome’s first “update now” warning came on May 9, with Google warning it was “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was a “use after free” issue, where pointers to vacated memory are not deleted and so can be abused.
As Kaspersky warns, “an attacker can use UAFs to pass arbitrary code—or a reference to it—to a program and navigate to the beginning of the code by using a dangling pointer. In this way, execution of the malicious code can allow the cybercriminal to gain control over a victim’s system.”
But before most users were even aware of the issue, along came attack number two. On May 13, it was CVE-2024-4761 that promoted Google to warn an exploit had been found in the wild. This time it was an “out of bounds” memory vulnerability affecting Chrome’s V8 Javascript engine. This type of issue enables an attacker to target Chrome with maliciously crafted HTML pages.
An out of bounds issue risks exposing sensitive information that should not be available while also risking a system or software crash that might allow an attacker to access that data.
And then just 48-hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability, which again exposes users to a crafted HTML page attack.
Type confusion occurs when software attempts to access incompatible resources without a safety net in place to trap the risk. The error can push the system into an unexpected state, opening a security threat.
All of these vulnerabilities can destabilize the browser or device, which is worrying in itself, but can also be used to enable other exploits to run once the system is destabilized.
Most users will have Chrome set to update automatically, which it should always do for security updates of this kind anyway. But that’s not enough in itself. You should always fully close and relaunch Chrome to ensure the update has fully installed.
Given the worrying optics of three zero-days in six days, and the logistics of deploying multiple software releases to so many systems in such a short period of time, you should manually close and relaunch Chrome today, with the browser’s nightmare week hopefully now at an end.
Even if you think the updates have already installed, it’s a good fail safe.
I would actually go further this week, and also suggest a device reboot—if that doesn’t cause too many ancillary issues with other software you have running.
As regards Chrome, this shouldn’t cause too many problems. As Google explains, Chrome “saves your opened tabs and windows and reopens them automatically when it restarts.” But this doesn’t include Google’s quasi private browsing mode. “Your incognito windows won’t reopen when Chrome restarts.”
CISA has also warned that the first two vulnerabilities “could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.”
US federal agencies have until 3rd, 6th and 10th June respectively to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”
So, what to make of this nightmare week for Google and its vast numbers of Chrome users. It’s no surprise that Google is hit so many times, it’s a complex platform and it’s a honeypot for attacks given the ubiquity of its desktop install base.
Exploits against any software that an attacker can assume will be on a target device are highly prized. All of which means significant good guy and bad guy efforts to find any vulnerabilities. And so here we are.
It’s a little ironic that just as Chrome’s nightmare week came to an end, Google issued a white paper titled “a more secure alternative,” taking a shot at Microsoft, and suggesting that “in the wake of significant cybersecurity incidents with Microsoft, Google Workspace offers a safer choice.”
Chrome isn’t Workspace and the white paper focused on sophisticated cyber attacks rather than merely exploited vulnerabilities. But let’s remember, one leads to the other.
And quite apart from the detail, optically the timing is somewhat awkward to say the least. Perhaps the PR department could have held that back for just a few days. We don’t yet know the extent of any attacks and whether the exposure of the exploits was connected to any specific campaign.
The timing is made even worse given the AI criticism Chrome is also getting following Google’s recent updates. “Search on Google is no longer an algorithm that surfaces relevant results based on a few keywords you type in a search box,” Windows Central explains. “Instead, it’s a system that relies on AI to reason the search intent to provide the most relevant answer. However, even though the company says the new system offers a better experience, inaccurate results keep growing, especially in the latest ‘AI Overview’ feature meant to show complete answers.”
The site provides a how to guide to disable these new AI results, which not only have accuracy issues—bad enough in itself, of course, but also open the Pandora’s box of AI data and user privacy, which is set to be the must bigger concern for users as AI comes to change so many of these platforms and services.
While you’re restarting the browser to ensure the updates have installed, you can look at other settings as well—it never hurts to sodium through the security and privacy settings on a regular basis.
As regards Chrome’s security, the good news though, is that emergency updates were very timely this time around—to the extent that it made headlines the world over. Now you just need to do your bit.
