Google has released yet another emergency security update for the Chrome web browser, the fourth in a strikingly short two week period this month. If you are one of the billions of people using Google’s Chrome you should see the patch automatically rolling out in the coming days, taking the version number to 125.0.6422.112/.113 for Windows and Mac, 125.0.6422.112 for Linux. However, such a large number of zero-day vulnerabilities dropping over such a short period of time does beg the question of what this says about Google’s grip on Chrome security and whether it’s time to delete the browser and switch to something else.
A Timeline Of Critical Chrome Security Updates
The first Chrome zero-day of the month was confirmed, and a patch released by Google on May 9. Then, on May 13, another Chrome zero-day emergency update dropped, to be followed by a third on May 15. As my colleague Zak Doffmann, writing at Forbes.com, said, “while Google has had its moments with Chrome security vulnerabilities over the years, this is starting to feel like a much more challenging situation than usual.”
And then the unthinkable happened: the fourth zero-day security vulnerability, with a confirmed exploit known of in the wild, was confirmed by Google. This latest security scare has prompted Google to issue yet another emergency update, on Thursday May 23. Google Chrome’s technical program manager, Prudhvikumar Bommana, said that CVE-2024-5274 is a “Type Confusion in V8,” and not a lot more. This isn’t unusual as Google waits until the billions of Chrome users have had the opportunity to relieve the automatic update before releasing technical details of such vulnerabilities. However, V8 is the JavaScript engine powering Chrome and other Chromium browsers such as Microsoft Edge. The type confusion attack vector, meanwhile, is extremely dangerous as it can lead to “code execution when a user visits a specially crafted and malicious HTML page,” to Cert-EU.
Should You Delete Chrome And Switch To Another Browser?
The knee-jerk reaction to a string of extremely serious, zero-day, vulnerability disclosures in such a short space of time is understandably to think that Chrome browser security is screwed. Knee-jerk reactions are, however, by their very nature, without much serious reasoning. Given time to reflect upon what has happened here, that conclusion is not one I can agree with. And neither should you. If you are concerned about privacy issues and the Google ecosystem, switch to another browser, but not on purely security grounds. Here are just three reasons why that’s the case.
- That zero-day vulnerabilities are being discovered by external security researchers, Google’s own Threat Analysis Group, and the Chrome Security team is proof that Google is taking security seriously. Sure, it’s concerning when so many emergency fixes drop in such a short space of time, and there have now been eight this year so far, but would you rather these vulnerabilities go undiscovered and exploits continue without being seen?
- Which browser are you thinking of switching to? This is a serious question, given that the most popular web browsers use the same Chromium engine and are, therefore, vulnerable to the same zero-day exploits. While Google Chrome updates are pushed out automatically and, for most users, immediately, that isn’t always the case with other products, which can sometimes take a few days to get an update out. That’s a few days where the exploit window remains open for potential attackers.
- If switching to a non-Chromium browser, will it have the same number of vulnerability-hunting eyes upon it as Chrome et al.? A browser with no security updates does not necessarily mean there are no vulnerabilities; it could simply mean there are none yet discovered.
What Should You Do Now?
Either wait for the automatic Chrome security update to land and install, which will happen when you next restart your browser client, or force that update if you are a user who doesn’t restart the browser regularly. To force an update, head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading.
Remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.
Check that you are running the latest and most secure version of Google Chrome.