Google Chrome gets third emergency update in a week as attacks continue

Google has issued another critical warning – the third in just a few days – as another active threat has been discovered; here’s what you need to do.

Updated 5/16; originally published on 5/14.

Google has released another urgent update, moving Chrome’s stable channel to 124.0.6367.207/.208 for Mac and Windows, as another zero day is reported and patched anonymously. As was the case last week, users are being warned that “Google is aware that an exploit for CVE-2024-4761 exists in the wild.”

ForbesWhy you should never use your credit card on these websites

This vulnerability affects Chrome’s V8 JavaScript and WebAssembly engine, allowing “a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.” The severity of the threat is set as ‘high’, but because it is being exploited, it is critical that users update and restart as soon as possible.

An out-of-bounds write problem means that crafted software can attack a device’s memory in unexpected ways, causing stability issues, crashing the program or device, or even executing other malicious code. Such memory issues are a recurring problem when it comes to Chrome vulnerabilities.

This is already the sixth zero day this year.

As usual, no further details have been published as users are urged to update. “Access to bug details and links may remain limited until the majority of users have been updated with a fix.”

Just like last week, the fact that an emergency release has been issued and warnings are appearing in various media should be enough warning for the 2 billion desktop users to manually update or check if the automatic update has been applied and then restart the browser.

Chrome is an excellent browser, despite the persistent tracking issues that have plagued the balancing act between user privacy and marketing machine for years. But given its ubiquity, especially for Windows users, it is a powerful attack surface when exploits are developed.

Instructions for updating Chrome can be found here.

ForbesIs Google Chrome Still Tracking You?

Update 5/16: If two zero-day emergency updates in a week weren’t enough, here comes the third. And while Google has had its moments with security issues in Chrome over the years, this is starting to become a much more challenging situation than usual.

The companies May 15 advisory confirmed nine security fixes, while the other two emergency updates last week were fixes for one issue. The stable channel has been updated to 125.0.6422.60 (Linux) 125.0.6422.60/.61 (Windows and Mac).

Of the nine fixes, Google says it is “aware that an exploit for CVE-2024-4947 exists in the wild.”

That issue is a very serious type confusion vulnerability in Chrome’s underlying engine. This is a memory issue, like almost all Zero Days in Chrome, and this type of vulnerability usually means that a crafted HTML page can cause the system to crash or open the door to further exploits.

The two serious issues identified by third-party researchers and mentioned in Google’s advisory are as follows:

High, CVE-2024-4947: Type confusion in V8. Reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) from Kaspersky on 2024-05-13

High, CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09

The other two externally identified bugs were less dangerous:

Medium, CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou (@refrain_areu) from ChaMd5-H1 team on 2024-02-24

Low, CVE-2024-4950: Inappropriate implementation in downloads. Reported by Shaheen Fazim on 06-06-2023

The remaining issues have been identified internally. “As usual, our ongoing internal security work was responsible for a wide range of solutions, [including] of internal audits, fuzzing and other initiatives.”

Google says it paid $8,000 for the lower-risk bugs, but did not disclose the payments for the most serious bugs. “We would also like to thank all the security researchers who worked with us during the development cycle,” the report said, “to prevent security bugs from ever reaching the stable channel.”

Chrome should apply these updates automatically, but users can check that they have the latest version of the software by going to Help/About Google Chrome. It’s also worth closing the browser completely and restarting it to ensure no latent known issues remain.

ForbesTelegram’s attack on Signal focuses attention on its own security shortcomings

Update 5/15: Despite the difficult optics of [three] emergency updates within a week, or the latest delay in deprecating tracking cookies, Google appears to be on a mission to improve Chrome’s security, with initiatives like addressing common memory issues with its V8 sandbox and session cookie theft with its smart new Device-based session credentials (DBSC) approach.

And the reason this is all so important became very clear this week at Google I/O, with confirmation that the company’s Gemini AI will be built into Chrome, making this one of the biggest bets. The update will even see Nano used for generative AI activities on the device, such as helping users write text.

As reported by The edge“Google also announced that it will make Gemini available in Chrome DevTools, which developers use to debug and tune their apps. Gemini can explain error messages and provide suggestions for resolving coding issues.”

Like Chrome’s product director Jon Dahlke told developers during the event: “This is a big change for the internet and we want to get it right.”

The heady world of AI will change the web experience for billions of people, whether browsing, creating or searching. And with six zero days already hitting the billions of Chrome users this year, this “major change for the internet” will bring major security issues that Google will need to address.

The security industry does not yet understand how the AI-driven threat landscape will evolve; but that will become apparent soon enough, and the impact on you and the software you use will be enormous…

Leave a Reply

Your email address will not be published. Required fields are marked *