Updated June 3rd following warnings about cookie theft.
For Google Chrome and its more than 2 billion desktop users, May will be remembered as a month they'd rather forget, with four zero-day vulnerabilities and urgent update warnings in the space of 10 days resulting in a flurry of can't-miss headlines.
The US government has warned federal employees to install the May emergency update or stop using Chrome. They set a deadline of June 3rd to apply the first update and June 6th to apply the second update. June 3rd has passed, so the first update should already be applied. This is a timely reminder that the second update must be applied within the next 72 hours. Obviously, updating your browser will apply all fixes up to that point.
Other organizations should similarly mandate full compliance for their employees, as well as individual users, which is why Google rushed to issue an emergency fix.
The US government's alert was issued through the Cybersecurity and Infrastructure Security Agency, which added the May Chrome warning to its Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
June 3rd seemed like a big day for Chrome in many ways: not only was it the date of the first US government update freeze, but it also marked the day that Google began to stop serving many Manifest V2 extensions as the Manifest V3 rollout began to take shape.
While this affects multiple developers and companies, the headlines have focused on how it will negatively impact ad blockers, which will now have to employ complex workarounds to function as well as they do. Users who read these headlines may be tempted to delay updating their browsers to prevent issues with their ad blockers, but they should not go down this path. Security updates are crucial.
While Google has been praised for the speed and efficiency with which it released and announced emergency updates in May, the changes in Manifest V2 are likely to generate more mixed feedback from users. Ars Technical “The highly controversial Manifest V3 system was announced in 2019 and the full switchover has been postponed multiple times, but Google has now announced that it will really make the transition,” it reported.
Users who have not yet applied the emergency update should do so now and not be bothered by these issues. Users around the world should ensure they have the update installed. Chrome will update automatically, but users should close and relaunch their browser to ensure the update is fully applied.
Also, on June 3, users browsing their Chrome news feeds would have seen a worrying headline in which a Bitcoin trader claimed to have lost $1 million after his Chrome security cookie was stolen to bypass his login and 2FA credentials.
While news of Manifest V2 may falsely encourage Chrome users to delay updating, the Binance alleged breach may do the opposite. Both are false. The alleged attack leveraged a malicious plugin that stole session cookies from traders' PCs and replicated their logins on other devices. This is not a Chrome vulnerability that can be fixed with a patch, and users should be aware of two things:
First, be careful about the plugins and extensions you install on your PC. The same management rules apply to any app you install. Be very careful about the source of such applications. Everything you install is a potential threat.
The second is how Chrome works. Over the last few years, you may have seen news about Google's long-delayed plans to phase out those pesky little tracking cookies that follow you from site to site across the web. These cookies are the engine that powers the global online marketing machine, reporting where you've been and what you've done, enabling advertising targeted to your likes and pain points.
However, there are more user-friendly versions of these tracking cookies, these session cookies allow the site to remember you when you return and, importantly, save you the need to log in every time. The “remember me” and “trust this browser” notifications make all of this work.
The challenge highlighted in this latest report is that stealing cookies could allow an attacker to replicate a user's protected session on another device. “Many users on the web fall victim to cookie-stealing malware, which can give attackers access to users' web accounts. Malware-as-a-Service (MaaS) operators often use social engineering to spread cookie-stealing malware,” Google warns.
The good news is that Google plans to roll out a fix soon: “We're prototyping a new web feature called Device-Bound Session Credentials (DBSC) that will help safeguard users against cookie theft,” Google announced in April. “By binding authentication sessions to devices, DBSC aims to disrupt the cookie theft industry because stealing these cookies will no longer be worthwhile.”
In the meantime, address the moment. With the flurry of emergency Chrome updates pausing, at least for now, now is a good time to issue reminder communications and apply any automated processes available across your organization. Obviously, home users should update too.
Google acknowledged that known exploits had been found in the wild for two of the vulnerabilities set by CISA's June 3 and June 6 deadlines, leading to emergency updates. The first vulnerability, “Visuals use after free,” was reported on May 9 and added to the KEV on May 13. “Google Chromium Visuals contains a use after free vulnerability that a remote attacker could exploit to cause heap corruption via a crafted HTML page,” CISA warned. “The vulnerability may affect multiple web browsers that use Chromium, including Google Chrome, Microsoft Edge, and Opera.”
The second update, scheduled for June 6, is for another memory issue, CVE-2024-4761, which CISA explains as “the Google Chromium V8 engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page.”
Successful exploitation of both issues could allow an attacker to take control of the platform or device, either directly or as part of a chained attack, while the memory vulnerabilities could allow for arbitrary code execution or system instability.
For both of the known vulnerabilities, CISA has instructed federal employees to “apply mitigations as instructed by the vendor or discontinue use of the product if mitigations are not available.” This means ensuring Chrome updates are released and installed. CISA's June 3 and June 6 deadlines apply specifically to U.S. federal government agencies, but also to all other public and private sector organizations.
If your system is an older version or type that doesn't support Chrome updates, you should remove the browser rather than risk being exploited.
The other Chrome zero-day vulnerabilities that made it into KEV in May (CVE-2024-4947 and CVE-2024-5274) need to be updated or discontinued by June 10th and June 16th, respectively. Obviously, if you apply the updates now, you should have all the mitigations in place. At a minimum, update your browsers to 125.0.6422.141/.142 for Windows and Mac, and 125.0.6422.141 for Linux.