Update, Dec. 20, 2024: This story, originally published Dec. 19, now includes further advice on update action for organizations running any Chrome or Chromium-powered browsers.
Hot on the heels of an emergency update to Google’s Chrome web browser comes yet another security update for billions of users across multiple operating system platforms. This time, the update urgency remains the same, but the number of vulnerabilities does not: four high-rated vulnerabilities have been confirmed by Google; here’s what you need to know and do.
Urgent Google Chrome Security Update For All Users Confirmed—What You Need To Know
Google has confirmed that the Chrome web browser is being updated again, an update that will roll out in the coming days and weeks. The reason? A total of four high-rated security vulnerabilities which between them have earned the security researchers who discovered them a whopping $75,000 in hacker bounties.
The four vulnerabilities that Google has confirmed are:
- CVE-2024-12692: A type confusion vulnerability in the Chrome V8 Javascript rendering engine.
- CVE-2024-12693: An out-of-bounds memory access vulnerability in the Chrome V8 Javascript rendering engine.
- CVE-2024-12694: A use-after-free vulnerability in the Chrome browser compositing function.
- CVE-2024-12695: An out-of-bounds write vulnerability in the Chrome V8 Javascript rendering engine.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Prudhvikumar Bommana from the Google Chrome security team said, “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
How To Securely Update Google ChromeTo Ensure Protection From The Latest Vulnerabilities
Chrome has been updated to the following versions:
- 131.0.6778.204/.205 for Windows and Mac
- 131.0.6778.204 for Linux
- 131.0.6778.200 for Android
The more than 3 billion users of Google Chrome who are potentially impacted by these security vulnerabilities need to make sure that they are protected as soon as possible. If you are in that number, and the chances are high that you are, then you need to kickstart the updating process and then activate the updated browser itself to enable the protection to be in place. Google does automatically update the Chrome browser, but this relies on users restarting the client, which lots of people with lots of open tabs don’t like doing. So, please follow these steps now:
Head for the Help|About option in your Google Chrome menu to kickstart an automatic security update download.
Restart your Google Chrome browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.
Repeat step one to ensure that the Google Chrome update is installed and activated, and that you are now fully protected against these latest security threats.
Chrome Patch Management Advice For Organizations
In light of the latest Google Chrome web browser security update addressing a number of serious, high-severity memory vulnerabilities, Alex Vovk, CEO and co-founder of Action1, an endpoint and patch management company, has offered the following advice for organizations that are impacted:
- Ensure that all organizational systems that use the Google Chrome web browser are updated to the latest version—this can be done using remote management tools.
- Configure your browser settings through group policy or management tools to enable automatic updates for Chrome on all user endpoints as the norm.
- Deploy advanced endpoint protection solutions that can detect and prevent browser vulnerabilities from being exploited, such as behavioral detection and intrusion prevention systems.
- Conduct regular security assessments and penetration tests that include browser-based vulnerabilities in their scope.
“Communicate with employees about the importance of keeping software up to date,” including the likes of Google Chrome and other web browser clients using the Chromium engine, Vovk said, “and provide guidance on how to recognize update prompts and initiate manual updates when necessary.”
