This has been a nightmare week for Google and the billions of users around the world relying on the tech giant’s Chrome browser. With multiple attacks confirmed, here’s what you need to do now.
Multiple “update now” warnings issued for billions of Chrome users
What a week this has been for Google Chrome. If you’re one of the billions defaulting to Chrome as your desktop browser, then the optics of three actively exploited vulnerabilities being confirmed inside six days will be a major concern. And rightly so—Chrome is clearly under attack.
The US government has just added one of the three to its catalog of vulnerabilities known to be behind active, current attacks. Federal agencies have until June 6 to update all their Chrome instances.
It’s not enough to let your browser update automatically—you need to actively ensure the update has been installed with one simple action, as explained below.
Chrome’s first “update now” warning came on May 9, with Google warning it was “aware that an exploit for CVE-2024-4671 exists in the wild.” The vulnerability was a “use after free” issue, where pointers to vacated memory are not deleted and so can be abused.
But before most users were even aware of the issue, along came attack number two. On May 13, it was CVE-2024-4761 that promoted Google to warn an exploit had been found in the wild. This time it was an “out of bounds” memory vulnerability affecting Chrome’s V8 Javascript engine. This type of issue enables an attacker to target Chrome with maliciously crafted HTML pages.
This is the one that CISA, the US Cybersecurity & Infrastructure Security Agency, has now added to its Known Exploited Vulnerabilities (KEV) catalog, warning “this vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.” This catalog lists “vulnerabilities that have been exploited in the wild… Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
And then just 48-hours later, on May 15, Google also warned that “an exploit for CVE-2024-4947 exists in the wild.” This was another memory issue, a “type confusion” vulnerability, which again exposes users to a crafted HTML page attack.
All of these vulnerabilities can destabilize the browser or device, which is worrying in itself, but can also be used to enable other exploits to run once the system is destabilized.
Most users will have Chrome set to update automatically, which it should always do for security updates of this kind anyway. But that’s not enough in itself. You should always fully close and relaunch Chrome to ensure the update has fully installed.
Given the worrying optics of three zero-days in six days, and the logistics of deploying multiple software releases to so many systems in such a short period of time, you should manually close and relaunch Chrome today, with the browser’s nightmare week hopefully now at an end.
Even if you think the updates have already installed, it’s a good fail safe.
I would actually go further this week, and also suggest a device reboot—if that doesn’t cause too many ancillary issues with other software you have running.
As regards Chrome, this shouldn’t cause too many problems. As Google explains, Chrome “saves your opened tabs and windows and reopens them automatically when it restarts.” But this doesn’t include Google’s quasi private browsing mode. “Your incognito windows won’t reopen when Chrome restarts.”
So, what to make of this nightmare week for Google and its vast numbers of Chrome users. It’s no surprise that Google is hit so many times, it’s a complex platform and it’s a honeypot for attacks given the ubiquity of its desktop install base.
Exploits against any software that an attacker can assume will be on a target device are highly prized. All of which means significant good guy and bad guy efforts to find any vulnerabilities. And so here we are.
The good news is that Google’s emergency updates were very timely—now you just need to do your bit.