Sunday, December 22, 2024

Google’s Security Warning For 3 Billion Chrome Users—Update Now

Must read

Update, Dec. 21, 2024: This story, originally published Dec. 19, now includes new details of an experimental Chrome security feature and advice on update action for organizations running any Chrome or Chromium-powered browsers.

Hot on the heels of an emergency update to Google’s Chrome web browser comes yet another security update for billions of users across multiple operating system platforms. This time, the update urgency remains the same, but the number of vulnerabilities does not: four high-rated vulnerabilities have been confirmed by Google; here’s what you need to know and do.

ForbesNew Gmail Security Warning For 2.5 Billion—Second Attack Wave Incoming

Urgent Google Chrome Security Update For All Users Confirmed—What You Need To Know

Google has confirmed that the Chrome web browser is being updated again, an update that will roll out in the coming days and weeks. The reason? A total of four high-rated security vulnerabilities which between them have earned the security researchers who discovered them a whopping $75,000 in hacker bounties.

The four vulnerabilities that Google has confirmed are:

  • CVE-2024-12692: A type confusion vulnerability in the Chrome V8 Javascript rendering engine.
  • CVE-2024-12693: An out-of-bounds memory access vulnerability in the Chrome V8 Javascript rendering engine.
  • CVE-2024-12694: A use-after-free vulnerability in the Chrome browser compositing function.
  • CVE-2024-12695: An out-of-bounds write vulnerability in the Chrome V8 Javascript rendering engine.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Prudhvikumar Bommana from the Google Chrome security team said, “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

ForbesNew Google Gmail And Calendar Attack Warning For Millions Of Users

How To Securely Update Google ChromeTo Ensure Protection From The Latest Vulnerabilities

Chrome has been updated to the following versions:

  • 131.0.6778.204/.205 for Windows and Mac
  • 131.0.6778.204 for Linux
  • 131.0.6778.200 for Android

The more than 3 billion users of Google Chrome who are potentially impacted by these security vulnerabilities need to make sure that they are protected as soon as possible. If you are in that number, and the chances are high that you are, then you need to kickstart the updating process and then activate the updated browser itself to enable the protection to be in place. Google does automatically update the Chrome browser, but this relies on users restarting the client, which lots of people with lots of open tabs don’t like doing. So, please follow these steps now:

Head for the Help|About option in your Google Chrome menu to kickstart an automatic security update download.

Restart your Google Chrome browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.

Repeat step one to ensure that the Google Chrome update is installed and activated, and that you are now fully protected against these latest security threats.

ForbesGmail Account Deletion Warning—Act Now To Save Your Email In 2025

Chrome Patch Management Advice For Organizations

In light of the latest Google Chrome web browser security update addressing a number of serious, high-severity memory vulnerabilities, Alex Vovk, CEO and co-founder of Action1, an endpoint and patch management company, has offered the following advice for organizations that are impacted:

  • Ensure that all organizational systems that use the Google Chrome web browser are updated to the latest version—this can be done using remote management tools.
  • Configure your browser settings through group policy or management tools to enable automatic updates for Chrome on all user endpoints as the norm.
  • Deploy advanced endpoint protection solutions that can detect and prevent browser vulnerabilities from being exploited, such as behavioral detection and intrusion prevention systems.
  • Conduct regular security assessments and penetration tests that include browser-based vulnerabilities in their scope.

“Communicate with employees about the importance of keeping software up to date,” including the likes of Google Chrome and other web browser clients using the Chromium engine, Vovk said, “and provide guidance on how to recognize update prompts and initiate manual updates when necessary.”

ForbesElon Musk Xmail Teaser Poses New Threat For Billions Of Gmail Users

Chrome Canary Sings To New AI-Powered Scam Deception Tune

A Dec. 20 report at Bleeping Computer has confirmed that Google is adding a new scam protection for users of the Chrome web browser to help catch scams before they can catch you. The AI-powered newly discovered scam protection feature was uncovered by X user Leopeva64, who posted how he had spotted a new code flag in the latest Chrome Canary experimental build. This flag, Leopeva64 said, enabled a feature called “Client Side Detection Brand and Intent for Scam Detection” that employs a large language model to analyze web pages, on your device, looking for any malicious intent or brand impersonation. The official description of the Google Chrome code flag stated that the function: “Enables on device LLM output on pages to inquire for brand and intent of the page.” In other words, this AI-protection checks for these scams in real-time as you browse the web.

It is understood that the feature will support Chrome users using the browser client on Linux, Mac and Windows operating system platforms. What is unknown at this point is precisely how the protection will be displayed to the user, but I suspect it’s almost certain that some kind of warning pop-up notification will be involved to alert the user to the potential scam risk of the site in question, in much the same the way that unsafe site warnings do already for not secure or potentially dangerous sites.

ForbesGoogle Chrome App Deletes All iOS Passwords—But Why?

Bleeping Computer’s Mayank Parmar suggested that this could be, by way of example, the Chrome user visiting a Microsoft technical support page that is actually a fake designed to install malware or get you to call a telephone number to be charged for unnecessary security support. “Chrome’s AI could analyze the promoted brand or language used on the page,” Parmar said, and “display a warning alerting you to avoid interacting with the page or sharing personal information.”

Leopeva64 said that it appears, according to comments on the Chromium source code forum, that the feature may only work when the AI-powered enhanced protection function has been enabled for Chrome. The flag Leopeva64 described is “the one that actually activates the new AI-powered enhanced protection” mode.

Latest article