For Google Chrome and its two-billion-plus desktop users, May will go down as a month to forget: four zero-days and emergency update warnings inside ten days, launched a tidal wave of wall-to-wall headlines that were hard to miss.
The US government has warned federal employees to install May’s emergency updates or to cease using Chrome. And they have issued a June 3 deadline for the first of those updates to be applied. It’s now June 1, and so this is a timely reminder that you should ensure you have updated Chrome inside the next 72 hours.
Others organizations should do the same, and mandate full employee compliance.
Credit to Google for the speed and efficiency with which each emergency update was released and announced, notwithstanding the awkward PR. But there remains an urgency for users the world over the ensure the updates have installed. Chrome will update automatically, but users must then close and relaunch their browser.
The US Government warning comes via its Cybersecurity & Infrastructure Security Agency (CISA) adding May’s Chrome warnings to its Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
With the procession of emergency updates having paused, at least for now, it’s a good time to issue reminder communications and apply whatever automated processes you have available across your organization. Clearly, home users should update as well.
The first of those vulnerabilities, a “Use after free in Visuals,” was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page,” CISA warns. “This vulnerability could affect multiple web browsers that utilize Chromium, including… Google Chrome, Microsoft Edge, and Opera.”
A use after free vulnerability is a latent memory pointer than can be exploited to execute malicious code or destabilize the platform or operating system. Whether directly or as part of a chain attack, the risk—as Kaspersky explains—is that “an attacker can use UAFs to pass arbitrary code—allowing a cybercriminal to gain control over a victim’s system.”
CISA has instructed federal government employees to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” That means ensuring Chrome’s update has landed and installed. While CISA’s June 3 deadline specifically applies to US federal agencies, other public and private sector organizations should apply the same timeline.
The other Chrome zero-days that made their way into KEV in May—CVE-2024-4761, CVE-2024-4947 and CVE-2024-5274—require updates or discontinuance by June 6, June 10 and June 16 respectively. Clearly, applying an update now should ensure all mitigations have been applied. Ensure your browser updates to 125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux—at least.