Updated June 3 after warnings about cookie theft.
For Google Chrome and its more than two billion desktop users, May will go down in history as a month to forget: four zero-days and emergency update alerts in ten days created a flood of wall-to-wall headlines that were hard to miss.
The US government has warned federal employees to install May’s emergency updates or stop using Chrome. They set a June 3 deadline for the application of the first of these updates and a June 6 update for the second. June 3 has now passed and you should have already applied the first update. This is a timely reminder that you should ensure that you have applied the second update within the next 72 hours. Obviously, when you update your browser, all solutions up to that point will be applied.
Other organizations should do the same and require full employee compliance, just like personal users. Google has not released emergency solutions for nothing.
The US government alerts come through the Cybersecurity and Infrastructure Security Agency, which is adding May’s Chrome alerts to the Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
It seems like June 3 has been a big day for Chrome. Not only was that the first shutdown of the update by the US government, but it’s also the day that Google began pulling the plug on many Manifest V2 extensions as the Manifest V3 rollout takes shape.
While this will impact multiple developers and enterprises, headlines have focused on the damaging effect this will have on ad blockers, which will need to use a complex solution to work as they do now. There is a risk that users reading these headlines may try to delay updating their browsers to avoid possible adblocker issues; you really shouldn’t go this route: the security update is crucial.
While Google gets credit for the speed and efficiency in releasing and announcing the emergency May updates, the Manifest V2 change will generate more mixed user feedback. If Ars Technica reports: “The highly controversial Manifest V3 system was announced in 2019 and the entire switch has been postponed a million times, but now Google says it’s actually going to make the switch.”
None of this should stop users from applying the emergency update immediately, if they haven’t already done so. There remains an urgency for users around the world to ensure they have the updates installed. Chrome will update automatically, but users will then need to close and restart their browser to ensure the update has been fully applied.
Also on June 3, Chrome users browsing the news feeds will have seen worrying headlines when a bitcoin trader claimed he lost $1 million after the theft of Chrome security cookies from his system to bypass his login and 2FA credentials.
While the Manifest V2 news could wrongly encourage Chrome users to delay their updates, the alleged Binance compromise could do the opposite. Both would be wrong. This alleged attack used a malicious plugin that exfiltrated session cookies from the merchant’s PC and replicated his login on another device. This is not a Chrome vulnerability that can be fixed by a patch, and users should be aware of two things.
The first is that you need to consider the plugins and extensions they install on their PCs. The same housekeeping rules apply here as for all apps you install. be very aware of the source of such applications. Everything you install is a potential threat.
The second is about the way Chrome works. You may have seen news in recent years about Google’s long-delayed plan to eliminate those pesky little tracking cookies that follow users across the Internet, from site to site. These cookies are the fuel that powers the global online marketing machine, reporting on where you go and what you do, allowing advertising to target your tastes and weaknesses.
But there’s a friendlier version of these tracking cookies, and these session cookies allow you to be remembered when you revisit a site, and most importantly, so you don’t have to log in every time. The ‘Remember me’ and ‘Trust this browser’ notifications make this all work.
The challenge – as this latest report shows – is that if you steal these cookies, you may be able to replicate the user’s secure session on another device. Many users on the Internet are falling victim to cookie theft malware,” Google warned, “giving attackers access to their web accounts. Malware-as-a-Service (MaaS) operators often use social engineering to spread cookie theft malware.”
The good news is that Google has a fix that should be coming soon. “We are prototyping a new web capability called Device Bound Session Credentials (DBSC) that will better protect users from cookie theft,” Google announced in April. “By tying authentication sessions to the device, DBSC aims to disrupt the cookie theft industry, as exfiltrating these cookies will no longer have any value.”
In the meantime, let’s deal with the here and now. Now that Chrome’s emergency update series has been put on hold, at least for now, this is a good time to send out reminder messages and apply whatever automated processes are available within your organization. Obviously, home users will need to update as well.
Google has acknowledged that the two vulnerabilities are known exploits found in the wild under CISA deadlines of June 3 and June 6 – according to the emergency updates. The first vulnerability, a ‘Use after free in Visuals’, was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a use-after-free vulnerability that could allow a remote attacker to exploit heap corruption via a crafted HTML page,” CISA warns. “This vulnerability could impact multiple web browsers that use Chromium, including… Google Chrome, Microsoft Edge, and Opera.”
The second update, due on June 6, is another memory issue: CVE-2024-4761, “Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page,” explains CISA out.
Exploitation of both issues could allow an attacker to take control of your platform or device, either directly or as part of a chain attack. Addressing memory vulnerabilities opens the door to executing arbitrary code or destabilizing your system.
For both known exploitable vulnerabilities, CISA has directed federal government employees to “apply mitigations as instructed by the vendor or discontinue use of the product if no fixes are available.” That means you need to make sure the Chrome update has landed and installed. While the June 3 and June 6 CISA deadlines apply specifically to U.S. federal agencies, all other public and private sector organizations are doing the same.
If your system is of an age or type that no longer supports Chrome updates, you should uninstall the browser to avoid the risk of exploitation.
The other Chrome zero-days that arrived in KEV in May (CVE-2024-4947 and CVE-2024-5274) require updates or shutdown by June 10 and June 16, respectively. It is clear that applying an update now should ensure that all measures have been applied. Make sure your browser is at least updated to 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux.