It has been a busy few weeks for Chrome with plenty of news for its 3 billion users to digest. And so it would be all too easy to forget a fast-approaching update deadline is now just 72-hours away. Google confirmed that attackers have actively exploited two dangerous Chrome vulnerabilities, and users must not remain unprotected.
The first of those memory threats was made public in a Chrome update on August 21, with Google warning that CVE-2024-7971 was under active exploitation. The nasty surprise was that a second memory vulnerability fixed in that same update—CVE-2024-7965—was also under attack. Google confirmed as much a week later.
The U.S. government’s cybersecurity agency added both threats to its Known Exploited Vulnerabilities (KEV) mandating all federal employees update Chrome by September 16 (and September 18 for the second fix) or stop using their browsers. And while CISA’s deadlines are only mandatory for government staff, many organizations follow its mandates. To put it more simply—there are two actively exploited vulnerabilities, update Chrome now if you have not done so since early September.
As CISA explains, it “maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
There have been two desktop Chrome updates since then, on September 2 and 10 respectively, both of which addressed high-severity vulnerabilities, albeit none confirmed as yet to have been actively exploited in the wild.
Somewhat ironically, given its own procession of zero-days—including this week’s Patch Tuesday, one of the serious Chrome vulnerabilities was discovered and disclosed by Microsoft, attributing the attack to North Korean crypto hackers chaining the Chrome vulnerability to an (also now patched) Windows zero-day.
Microsoft suggested this as a reason for users to switch from Chrome to Edge, advising organizations to “encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.”
While I wouldn’t advise that, Microsoft’s warning that Chrome phishing lures need to be stopped at source is critical. And Google is making its own moves to do just that. Google assured this week that its “revamped Safety Check feature will now run automatically in the background on Chrome, taking more proactive steps to keep you safe. It will also inform you of actions it takes, including revoking permissions from sites you don’t visit anymore, flagging potentially unwanted notifications and more.”
Microsoft has just released its latest Microsoft Threat Intelligence podcast, which delves into the nature of the North Korean threat that was behind its disclosure of CVE-2024-7971. shedding some light on the “surprising nature of recent attack chains involving vulnerability in the Chromium engine.”
Chrome comes in for a lot of flack—the downside of market domination—but deserves credit for its constant improvements; albeit you have to overlook the underlying advertising and cookie-drive data collection. This is making a difference, as one bemusing exchange on X this week illustrated. Google’s crackdown on infostealers exploiting Chrome weaknesses is starting to bolt the stable door. Albeit the exchange shows the other side clearly intend to find new ways through.
While the latest worldwide browser market share data shows Edge continuing to build its user base, it’s an exceptionally slow build; Statcounter reports a statistically irrelevant increase from 13.75% from July to 13.78% in August this year, albeit the year-on year growth is more encouraging, with Edge up from 11.15% a year ago.
Updating Chrome to the latest release will address the two exploited zero-days as well as everything fixed since. As ever, check the update has downloaded and then restart your browser to ensure it installs. If you have made the switch to Edge, you need to do the very same—the actively exploited threats impact both browsers.