Users now have less than 72 hours to either update or exit Chrome
Updated June 3 after cookie theft warnings.
For Google Chrome and its 2 billion-plus desktop users, May will go down as a month to forget: four zero days and emergency update warnings in 10 days set off a tidal wave of wall-to-wall headlines that were hard to miss .
The US government has warned federal employees to install May’s emergency updates or stop using Chrome. They gave a June 3 deadline for the first of these updates and a June 6 update for the second. June 3rd has now passed, so you should have already applied the first update. This is a timely reminder to make sure you apply the second update within the next 72 hours. Obviously, when you update your browser, all fixes will be applied at this point.
Other organizations should do the same and enforce full employee compliance, just like personal users. Google rushed emergency fixes for a reason.
The US government’s warnings come via the Cybersecurity and Infrastructure Security Agency, adding May’s Chrome warnings to Known Exploited Vulnerabilities (KEB) list, which details “vulnerabilities that have been exploited in the wild”.
Looks like June 3rd was a big day for Chrome. Not only was it the first US government update outage, but it was also the day Google began de-linking many Manifest V2 extensions as the Manifest V3 release takes shape.
While this will affect many developers and businesses, headlines they have focused on the detrimental effect this will have on ad blockers, who will have to adopt a complex solution to work as they do now. There is a risk that users reading these headlines will seek to delay updating their browser to avoid any ad blocking issues. you really shouldn’t go that route—security updating is critical.
While Google takes credit for speed and efficiency in rolling out and announcing May’s emergency updates, the Manifest V2 change will generate more mixed feedback from users. As Ars Technica it says, “the highly controversial Manifest V3 system was announced in 2019 and the full switch has been delayed a million times, but now Google says it’s actually going to make the switch.”
None of this should prevent users from immediately applying the emergency update if they haven’t already. It remains urgent for users worldwide to ensure they have installed the updates. Chrome will update automatically, but users must then close and restart their browsers to ensure the update is fully applied.
Also on June 3, Chrome users browsing their news feeds will have seen disturbing headlines when a bitcoin trader he claimed lost $1 million after Chrome security cookies were stolen from its system to bypass its login credentials and 2FA
While the Manifest V2 news may falsely encourage Chrome users to delay their updates, the alleged Binance compromise may do the opposite. Both would be wrong. This alleged attack used a malicious plug-in that extracted session cookies from the merchant’s computer, replicating their login on another device. This is not a Chrome vulnerability that any patch can fix, and users should be aware of two things.
The first is to be careful about the add-ons and extensions they install on their computers—the same rules of cleanliness apply to any apps you might install. be very careful about the source of such apps. Anything you install is a potential threat.
The second is about how Chrome works. You may have seen the news in recent years about Google’s long overdue plan to kill off the pesky little tracking cookies that follow users around the web, from site to site. These cookies are the fuel that drives the world’s online marketing engine, reporting where you go and what you do, enabling ads to target your likes and dislikes.
But there is a friendlier version of these tracking cookies and these session cookies ensure that you can be remembered when you visit a website again and that you don’t have to log in every time you do. “remember me” and “trust this browser” notifications make all of this work.
The challenge—as seen in this latest report—is that if you steal these cookies, you can potentially replicate the user’s secure session on a different device. Many users across the web are falling victim to cookie-stealing malware,” Google says has warned,” giving attackers access to their web accounts. Malware-as-a-Service (MaaS) operators often use social engineering to spread cookie-stealing malware.”
The good news is that Google has a fix that should be coming soon. “We’re prototyping a new web feature called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft,” Google announced in April. “By tying authentication sessions to the device, DBSC aims to disrupt the cookie-stealing industry, as exporting these cookies will no longer have any value.”
In the meantime, let’s deal with the here and now. With Chrome’s emergency update process on hold, at least for now, now is a good time to issue reminder communications and implement whatever automated processes you have available in your organization. Clearly, home users should also update.
Google has acknowledged that the two vulnerabilities under CISA’s June 3 and June 6 deadlines have known exploits found in the wild — hence the emergency updates. The first vulnerability, “Use After Free in Visuals”, was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a post-use vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page,” CISA warns. “This vulnerability could affect many web browsers that use Chromium , including… Google Chrome, Microsoft Edge and Opera.”
The second update, due on June 6, is another memory issue—CVE-2024-4761“The Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page,” CISA explained.
Exploiting both issues could allow an attacker to take control of your platform or device, either directly or as part of a chained attack. Targeting memory vulnerabilities opens the door to either executing arbitrary code or destabilizing your system.
For both known exploit vulnerabilities, CISA has instructed federal government officials to “apply mitigations per vendor guide or stop using the product if no countermeasures are available.” This means that the Chrome update has landed and installed. While CISA’s June 3 and June 6 deadlines apply specifically to US federal agencies, all other public and private sector organizations do the same.
If your system is of an age or type that no longer supports Chrome updates, you should delete the browser rather than run the risk of an exploit.
The other Chrome zero days that hit KEV in May—CVE-2024-4947 and CVE-2024-5274—require updates or discontinuation by June 10 and June 16, respectively. Clearly, applying an update now should ensure that all mitigations are applied. Make sure your browser is updated to 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux—at least.
