Don't Delay! Update Chrome Now to Avoid Attacks (Especially by June 3rd & 6th)

Google Chrome users face urgent security updates in May alongside the retirement of Manifest V2 extensions, impacting ad blockers and prompting a call to action

by Sededin Dedovic
Don't Delay! Update Chrome Now to Avoid Attacks (Especially by June 3rd & 6th)
© ProgrammingKnowledge2 / Youtube channel

It was a rough month for Google Chrome users with four zero-day vulnerabilities and urgent updates in May. The US government mandated urgent updates by June 3rd and 6th, while Google is retiring Manifest V2 extensions, which negatively impacts ad blockers.

A Month to Forget for Chrome and its Two Billion Users

For Google Chrome and its two billion desktop users, May will be remembered as a month to forget: four zero-day vulnerabilities and urgent updates within ten days triggered a wave of headlines that were hard to miss.

The US government warned employees in federal institutions to install urgent updates from May or stop using Chrome. The first deadline for these updates is June 3rd, and the second is June 6th. Today is June 3rd, and you should have already applied the first update.

This is a timely reminder that you need to ensure the application of the second update in the next 72 hours. It's clear that updating your browser will apply all available updates at that time. Other organizations should do the same and require full compliance from employees, as well as individual users.

Google has urgently issued fixes for a valid reason.

June 3rd Marks a Significant Day for Chrome

June 3rd seems like a significant day for Chrome. Not only is it the US government deadline for the first update, but it's also the day Google will start retiring many Manifest V2 extensions as they transition to Manifest V3.

While this will impact many developers and businesses, headlines have focused on the negative effect this will have on ad blockers, which will need to adopt a complex workaround to function as they do now. There's a risk that users reading these lines might postpone updating their browser to avoid issues with ad blockers; they really shouldn't do that at all – a security update is crucial.

Google Chrome Requires Urgent Update Action

While Google deserves credit for the speed and efficiency with which each of May's urgent updates were released and announced, the Manifest V2 change will generate more varied user feedback.

This is much more in line with the loss of significance of cookies as another major under-the-hood change, with a confused user base being told it's all for good reasons, but not quite sure how it applies in the real world.

As Arstechnica comments, "the deeply controversial Manifest V3 system was announced in 2019, and the full change has been delayed many times, but now Google says it will actually make the transition." None of this should prevent users from applying the urgent update right away, if they haven't already.

There's still an urgency for users worldwide to ensure the updates are installed. Chrome will automatically update, but users need to close and relaunch the browser to ensure the update is fully applied.

In this photo illustration Googles Chrome browser shortcut, Google Inc.s new Web browser, is displayed next to Mozilla Firefox s© Alexander Hassenstein / Getty Images

US Government Warnings Come Through CISA

The US government warnings come through their Cybersecurity and Infrastructure Security Agency (CISA), which added Chrome to its May warnings catalog of Known Exploited Vulnerabilities (KEV), which details "vulnerabilities that have been exploited in practice." Since the urgent update process is on hold, at least for now, this is a good time to issue a reminder and apply all available automated processes within your jurisdiction.

It's clear that even home users should urgently update their Google Chrome browser.

Better Safe Than Sorry, System Security Isn't a Gamble

The first of these vulnerabilities, "Use after free in Visuals," was reported on May 9th and added to the KEV on May 13th.

"Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit memory corruption through a crafted HTML page," warns CISA. "This vulnerability can affect multiple web browsers that use Chromium, including...

Google Chrome, Microsoft Edge, and Opera." The second update, which needs to be applied by June 6th, is another memory issue – CVE-2024-4761, "Google Chromium V8 Engine contains an unspecified memory write vulnerability through a crafted HTML page," explains CISA.

Exploitation of both issues could allow an attacker to take control of your platform or device, either directly or as part of an attack chain. Targeting memory vulnerabilities opens the door to either running arbitrary code or destabilizing your system.

For both known exploited vulnerabilities, CISA has mandated federal employees to "apply mitigations according to vendor guidance or discontinue use of the product if mitigations are not available." This means ensuring the Chrome update is installed.

While CISA's deadlines of June 3rd and 6th specifically apply to US federal agencies, all other public and private organizations should do the same. If your system is outdated or is a computer and operating system type that no longer supports Chrome updates, you should uninstall the browser instead of risking exploitation by malicious attackers.

Other Chrome zero-day vulnerabilities that reached the KEV in May – CVE-2024-4947 and CVE-2024-5274 – require updates or discontinuation of use by June 10th and 16th. Clearly, applying the updates now should ensure all patches are applied.

Make sure your browser updates to version 125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux, warns Forbes.