Users have 72 hours to choose whether to update or quit Chrome.
For Google Chrome and its 2 billion plus desktop users, May will be remembered as a month they'd rather forget: four zero-day vulnerabilities and urgent update warnings in the space of 10 days led to a flurry of can't-miss headlines.
The US government has warned federal employees to install the May emergency update or stop using Chrome, and has set a deadline of June 3 to apply the first update. Since it is now June 1, this is a timely reminder that Chrome needs to be updated within the next 72 hours.
Other organisations should similarly mandate full compliance from their employees.
Credit to Google for the speed and efficiency with which the emergency update was released and announced, despite the awkward PR. However, there remains an urgency for users around the world to ensure the update is installed. Chrome updates automatically, but users must close and relaunch the browser.
The US government alert came via the Cybersecurity and Infrastructure Security Agency (CISA), which added the May Chrome warning to its Known Exploited Vulnerabilities (KEV) catalogue, which details “vulnerabilities that have been exploited in the wild.”
With the stream of emergency updates on hold, at least for now, now is a good time to issue reminder communications and apply any automated processes available across your organization. Obviously, home users should update too.
The first vulnerability, “Use-after-free in Visuals,” was reported on May 9 and added to the KEV on May 13. “Google Chromium Visuals contains a use-after-free vulnerability that a remote attacker could exploit to cause heap corruption via a crafted HTML page,” CISA warned. “The vulnerability can affect multiple web browsers that use Chromium, including Google Chrome, Microsoft Edge, and Opera.”
Use-after-free vulnerabilities are potential memory pointers that can be exploited to execute malicious code or destabilize a platform or operating system. Either directly or as part of a chained attack, the risk, as Kaspersky explains, is that “attackers can use use-after-free to pass arbitrary code, giving cybercriminals control over a victim's system.”
CISA instructs federal employees to “apply mitigations as instructed by the vendor or discontinue use of the product if mitigations are not available,” meaning they should ensure Chrome updates are released and installed. While CISA's June 3 deadline only applies to U.S. federal government agencies, other public and private sector organizations should follow the same timeline.
The other Chrome zero-day vulnerabilities that made it into KEV in May (CVE-2024-4761, CVE-2024-4947, CVE-2024-5274) need to be updated or discontinued by June 6th, June 10th, and June 16th, respectively. Obviously, if you apply the updates now, you should have all the mitigations in place. At a minimum, update your browsers to 125.0.6422.112/.113 for Windows and Mac, and 125.0.6422.112 for Linux.
