Friday, November 22, 2024

Google Chrome update deadline looms

Must read

Google Chrome update deadline is just hours away, and this critical juncture cannot be ignored by its 2 billion-plus desktop users.

May was a turbulent month for Chrome, with a series of four zero-day vulnerabilities and emergency update warnings causing widespread concern. The U.S. government has taken the unusual step of warning federal employees to install May’s emergency updates or cease using Chrome altogether.

The urgency of these updates cannot be overstated, and with June 3 having passed, the second critical update must be applied by June 6.

The Google Chrome update deadline is just hours away, requiring immediate action (Image credit)

The urgency behind the Google Chrome update deadline

The security vulnerabilities discovered in Google Chrome during May have prompted swift action from both Google and cybersecurity authorities. Four zero-day vulnerabilities within a span of ten days is an alarming situation, highlighting the importance of keeping software up to date. The U.S. government, through its Cybersecurity and Infrastructure Security Agency (CISA), has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signifying their critical nature.

CISA’s directive for federal employees to update Chrome by June 3 and June 6 underscores the gravity of the situation. Failure to apply these updates could leave systems vulnerable to exploitation. Given the widespread use of Chrome, this directive extends beyond federal agencies to all users. Chrome’s automatic update feature simplifies the process, but users must remember to restart their browsers to complete the update installation.


Google killing cookies and here is why


Of course, the Google Chrome update deadline from CISA only applies to those working in US federal agencies.

In addition to the direct warnings from the government, the broader cybersecurity community has echoed the need for immediate updates. Google’s emergency patches address severe vulnerabilities that could allow remote attackers to execute arbitrary code, compromising user systems. This potential for exploitation is not theoretical; these vulnerabilities are actively being used in the wild, necessitating prompt action from all Chrome users.

Implications of manifest v2 and v3 changes

As Chrome users rush to meet the Google Chrome update deadline, another significant change is taking place. June 3 marked the beginning of Google’s phase-out of Manifest V2 extensions, making way for the more modern Manifest V3. This shift has far-reaching implications, particularly for developers and enterprises relying on specific browser extensions. Notably, ad blockers, which many users depend on, are facing significant challenges adapting to the new system.

Manifest V3, announced back in 2019, aims to enhance security and privacy, but its implementation has been controversial. Developers argue that it limits the functionality of extensions, particularly those used for content filtering. Despite these concerns, Google is pushing forward with the transition, emphasizing the improved security framework of Manifest V3. Users need to be aware that while some extensions may face temporary disruptions, the overarching goal is to provide a more secure browsing experience.

This transition is a critical point for users who might consider delaying their updates to avoid potential issues with extensions. However, the security risks associated with the unpatched vulnerabilities far outweigh the inconvenience of adjusting to new extension frameworks. Users must prioritize applying the emergency updates to protect their systems from active threats.

Recent security breaches highlight the need for updates

The urgency of meeting the Google Chrome update deadline is further underscored by recent high-profile security incidents. On June 3, reports emerged of a bitcoin trader losing $1 million due to the theft of Chrome security cookies. This incident involved a malicious plugin that exfiltrated session cookies, allowing attackers to bypass login and two-factor authentication protections. While this particular attack wasn’t directly tied to the zero-day vulnerabilities, it serves as a stark reminder of the risks posed by outdated software.

Chrome users must be vigilant about the plugins and extensions they install. Each installation carries potential security risks, and users should only download extensions from reputable sources. Google’s ongoing efforts to improve browser security, including initiatives like Device Bound Session Credentials (DBSC), aim to mitigate these risks. DBSC, expected to be rolled out soon, will bind authentication sessions to specific devices, making it much harder for attackers to exploit stolen cookies.

Google Chrome update deadline
Google is developing Device Bound Session Credentials (DBSC) for enhanced security (Image credit)

Despite these future improvements, the immediate focus must remain on addressing the current vulnerabilities. The Google Chrome update deadline is not just a procedural matter; it’s a critical step in safeguarding user data and maintaining the integrity of systems. The repercussions of failing to update can be severe, as evidenced by the recent theft incident.

Technical details of the vulnerabilities

Understanding the technical aspects of the vulnerabilities leading to the Google Chrome update deadline can provide further insight into why these updates are crucial. The first vulnerability, CVE-2024-4761, is a “use-after-free” issue in the Visuals component of Chrome, reported on May 9. This type of vulnerability occurs when a program continues to use a pointer after it has been freed, leading to potential heap corruption and allowing attackers to execute arbitrary code.

The second critical update addresses a memory issue within Chrome’s V8 JavaScript engine, identified as CVE-2024-4762. This “out-of-bounds write” vulnerability occurs when a program writes data outside the bounds of allocated memory, which can lead to code execution or system crashes. Both vulnerabilities are severe, and their exploitation in the wild highlights the immediate need for updates.

CISA has provided clear guidance on these vulnerabilities, emphasizing that federal agencies must apply the mitigations or discontinue using the affected software if updates are not possible. This directive serves as a stark warning to all users about the potential consequences of ignoring these updates. Applying the updates ensures that all known security fixes are implemented, protecting systems from exploitation.

How to update Chrome

To update Google Chrome:

  1. Open Chrome: Launch the Google Chrome browser on your computer.
  2. Click More: In the top right corner, click on the three vertical dots (More).
  3. Go to Help: From the drop-down menu, hover over “Help” and then click on “About Google Chrome.”
  4. Update (if available): Chrome will automatically check for updates. If an update is available, click on the “Update” button.
  5. Relaunch: After the update is installed, click on the “Relaunch” button to restart Chrome and apply the changes.

If you don’t see the “Update” button, it means you’re already using the latest version of Chrome.


Featured image credit: Gerd Altmann/Pixabay

Latest article