Updated June 3 with details of second CISA deadline and ad blocker warning.
For Google Chrome and its two-billion-plus desktop users, May will go down as a month to forget: four zero-days and emergency update warnings inside ten days, launched a tidal wave of wall-to-wall headlines that were hard to miss.
The US government has warned federal employees to install May’s emergency updates or to cease using Chrome. They issued a June 3 deadline for the first of those updates to be applied and a June 6 update for the second. It’s now June 3, and so you should have already applied the first update. This is a timely reminder that you must ensure you have applied the second update within the next 72 hours. Clearly, when you update your browser, all fixes to that point will be applied.
Others organizations should do the same and mandate full employee compliance, as should personal users. Google rushed out emergency fixes for a reason.
It looks like June 3 will be a significant day all round for Chrome. Not only is that the US government’s first update cutoff, but it’s also the day Google will start to pull the plug on many of the Manifest V2 extensions as its rollout of Manifest V3 takes shape.
While this will affect multiple developers and enterprises, headlines have focused on the detrimental effect this will have on ad blockers, which will need to adopt a complex workaround to work as now. There is a risk that users reading those headlines might seek to delay updating their browser, to prevent any ad blocker issues; you really shouldn’t go down this road—the security update is critical.
While Google gets credit for the speed and efficiency with which each of May’s emergency updates were released and announced—notwithstanding the awkward PR, the Manifest V2 change will generate more mixed user feedback. This is much more aligned with the deprecation of cookies as the other major under-the-hood change, a slightly confused user base being told everything is being done for the right reasons, but unsure how to execute in the real world.
As Arstechnica comments, “the deeply controversial Manifest V3 system was announced in 2019, and the full switch has been delayed a million times, but now Google says it’s really going to make the transition.”
None of this should stop users applying the emergency update immediately, if it’s not already done. There remains an urgency for users the world over the ensure the updates have installed. Chrome will update automatically, but users must then close and relaunch their browsers to ensure the update has been fully applied.
The US Government warnings comes via its Cybersecurity & Infrastructure Security Agency (CISA) adding May’s Chrome warnings to its Known Exploited Vulnerabilities (KEV) catalog, which details “vulnerabilities that have been exploited in the wild.”
With the procession of emergency updates having paused, at least for now, it’s a good time to issue reminder communications and apply whatever automated processes you have available across your organization. Clearly, home users should update as well.
The first of those vulnerabilities, a “Use after free in Visuals,” was reported on May 9 and added to KEV on May 13. “Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page,” CISA warns. “This vulnerability could affect multiple web browsers that utilize Chromium, including… Google Chrome, Microsoft Edge, and Opera.”
The second update, due June 6, is another memory issue—CVE-2024-4761, “Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page,” CISA explains.
Exploitation of both issues could allow an attacker to take control of your platform or device, either directly or as part of a chain attack. Targeting memory vulnerabilities opens the door to either running arbitrary code or destabilizing your system.
For both known exploitation vulnerabilities, CISA has instructed federal government employees to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” That means ensuring Chrome’s update has landed and installed. While CISA’s June 3 and June 6 deadlines specifically apply to US federal agencies, all other public and private sector organizations do the same.
The other Chrome zero-days that made their way into KEV in May—CVE-2024-4947 and CVE-2024-5274—require updates or discontinuance by June 10 and June 16 respectively. Clearly, applying an update now should ensure all mitigations have been applied. Ensure your browser updates to 125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux—at least.
