Category: Security & Privacy

Google has released a new security update for its Chrome web browser for all supported platforms. The update patches 11 unique security issues in the browser. It comes days after an out-of-bounds security update for Chrome to address a 0-day security vulnerability.

While the issues do not appear to be exploited at the time of writing, it is recommended to update Chrome immediately.

This is done by loading chrome://settings/help in the browser’s address bar or selecting Menu > Help > About Google Chrome manually.

Chrome lists the installed version and will download a new version that it finds automatically on desktop systems.

Pro Tip: open a command prompt window on Windows and run winget upgrade google.chrome.exe to update Chrome without opening it.

Chrome should display one of the following versions after installation of the update:

• Chrome for Mac or Windows: 125.0.6422.141 or 125.0.6422.142
• Chrome for Linux: 125.0.6422.141
• Chrome Extended Channel for Mac or Windows: 124.0.6367.243
• Chrome for Android: 125.0.6422.146 or 125.0.6422.147

The security fixes

Google lists seven of the eleven security issues that it fixed in the Chrome update on the official releases site.

All seven have a severity rating of high. Google does not publish information about security issues that it discovered internally. The severity of the four unmentioned security issues is unknown as a consequence.

Here is what Google reveals about the listed security issues:

• [$7000][339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
• [TBD][338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
• [TBD][338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
• [TBD][338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
• [TBD][339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
• [TBD][339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
• [TBD][339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11

The security issues affect several components of the browser, including APIs, keyboard inputs, media session, WebRTC, and Dawn. Dawn is an “open-source and cross-platform implementation of the WebGPU standard” according to Google Source.

Google has released quite a few security updates for its Chrome web browser in recent months. Besides the weekly scheduled security updates, Google has released updates to address 0-day vulnerabilities in Chrome.

Today, Google released another security update for Google Chrome to address a 0-day exploit. The issue affects all desktop versions of Chrome and Chrome for Android.

Chrome users may want to install the update immediately to fix the issue. Here is how that is done on desktop systems (there is no option to speed up the installation of Chrome updates on Android):

• Load chrome://settings/help in the Chrome address bar.
• Chrome displays the current version and runs a check for updates.

Updates will get installed automatically at this point, but you need to restart the browser manually to complete the update.

Chrome should return the following version after installation of the update:

• Chrome for Windows and Mac: 125.0.6422.112 or 125.0.6422.113
• Chrome Extended Stable for Windows or Mac: 124.0.6367.233
• Chrome for Linux: 125.0.6422.112
• Chrome for Android: 125.0.6422.112 or 125.0.6422.113

About the Chrome security vulnerability

The official release notes page lists basic information about the vulnerability only. It is CVE-2024-5274, a Type Confusion in V8 issue. Google has rated the vulnerability as high and notes that it is exploited in the wild.

V8 is the JavaScript and WebAssembly engine that Google Chrome uses.

In other words, systems with an outdated version of Chrome may be successfully attacked. It is unclear how the issue can be exploited, however.

The last update that fixed a 0-day vulnerability in Google Chrome was released just 2 weeks ago. It is the 8th 0-day exploit fix in Chrome in this year alone.

Just days after the weekly Google Chrome security update comes another security update for the web browser. This one unscheduled, as it fixes a 0-day security issue in Google Chrome that is exploited in the wild.

Google Chrome users should update the browser immediately to protect the browser and their data. Here is how that is done:

• Open Google Chrome on a desktop system.
• Select Menu > Help > About Google Chrome.

The browser displays the current version and runs a check for updates. It should pick up the security update and install it automatically.

Windows users may also launch a command prompt window and run winget upgrade Google.Chrome.EXE to update the browser to the latest version.

One of the following versions should be displayed by Chrome after installation of the update:

• Chrome for Windows or Mac: 124.0.6367.201 or 124.0.6367.202
• Chrome for Linux: 124.0.6367.201
• Chrome Extended for Windows or Mac: 124.0.6367.201

The Chrome 0-day security issue: what we know

Google reveals little about the security issue on the official Chrome Releases website.

[N/A][339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07

Google is aware that an exploit for CVE-2024-4671 exists in the wild.

The security issue is rated high and it is a use after free in Visuals. It was reported to Google on May 7, 2024, which means that it could have been exploited at least since that date. It is unclear how this issue can be exploited.

Other Chromium-based web browsers are also affected by the issue. This means that browsers such as Microsoft Edge, Vivaldi, Brave, or Opera are all vulnerable until an update is released.

Expect updates for these browsers in the coming hours and days.

Chrome on Android does not seem to be affected by the issue, as Google has not published an update for the browser or made an announcement on the releases blog regarding the platform.

When do you update browsers?

Google is working on a new security feature for the Web that aims to protect users against cookie theft malware better. Called Device Bound Session Credentials (DBSC), its main purpose is to bind cookies to the user’s device.

To better understand this, it is necessary to analyze the current situation. When you sign-in to a web service, a cookie is usually saved to the local system. This session cookie may then be used in future sessions. The effect is that you do not need to sign-in again, as this has been done in the past.

Cookies expire eventually, but until that happens, they may be used. One of the problems that arises is that cookies may also be used on other systems. This is what makes them attractive to criminals. If they manage to get their hands on session cookies, they may access the service without authentication.

A subtype of malware is designed to find and extract cookies from user systems. While this requires access to the user’s system in one way or another, it is a fairly common type of attack.

Device Bound Session Credentials

As the name implies, Device Bound Session Credentials limit cookies to individual devices. If you sign-in to a web service, the boundary is your computer (or a particular application). Anyone stealing the cookie cannot use it to access the account on another device, thanks to the new protective system.

Google explains:

By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Google admits that attackers may still get value out of attacks, but only if they act on the user system thanks to the boundary.

Technically, DBSC uses key pairs that are created when a new session starts. The private key is stored by the operating system and protections such as TPM help protect the keys against attacks. Servers may associate sessions with the public key; this ensures that a session is still on the original device.

Google notes that there is no “persistent user tracking” as sites may not “correlate keys from different sessions”. Keys may also be deleted at any time using the browser, e.g., Chrome’s option to delete site data.

Going forward

Google has open sourced the project and plans to make it a public standard. It is already experimenting with a prototype in Chrome Beta that protects Google Account users. Some companies, including Microsoft, have expressed interest already in DBSC.

You can check out Google’s post on the Chromium blog for an overview or the technical explainer on GitHub for additional information.

Announced last year, Google has now enabled real-time Safe Browsing checks in its Chrome web browser.

Safe Browsing is a security component of the Google Chrome web browser. Its main purpose is to warn users about malicious websites or downloads. This includes protections against known phishing websites and malware.

Google Chrome used a local list of known malicious sites by default previously. This list was updated every 30 to 60 minutes by the browser. This meant that there was a short period in which new known threats were not blocked by the browser.

Google calculated that “average malicious” sites exist for less than 10 minutes. In other words, a good portion of malicious sites do not exist anymore when Chrome updates the local Safe Browsing list.

Chrome users could switch the security setting to enhanced to get real-time checks. This new real-time checking of threats is now available in all Safe Browsing modes.

Safe Browsing changes

Google Chrome uses a Safe Browsing list on Google servers now to check any site that is getting opened against it. This improves the protection of users. Google estimates that this should improve the blocking of phishing attempts by 25%.

The change is rolling out to Chrome desktop users already. Android will also get the change “later this month” according to Google.

The option to enable Enhanced Protection is still available. This includes real-time checks as well, but also use of “AI to block attacks, provides deep file scans and offers extra protection from malicious Chrome extensions”.

What about privacy?

Google says that the new real-time nature of Safe Browsing checks is privacy-preserving.

Here is what happens in Chrome when a site is visited (according to Google):

1. The cache is checked to see if the site is known to be safe already.
2. If it is not in the cache, Chrome needs to check it against the remote Safe Browsing list.
3. Chrome starts by obfuscating the URL locally into 32-byte full hashes.
4. The hash is then truncated into 4-byte long chunks.
5. These are encrypted by Google Chrome and transferred to a “privacy server”.
6. The privacy server removes “potential user identifiers” before forwarding the encrypted hash chunks to the Safe Browsing server.
7. There the data is decrypted and checked against the database.
8. If a match is found, Chrome shows a warning to the user.

Google entered into a partnership with Fastly to “operate an Oblivious HTTP privacy server” that sits between the Chrome web browser and Safe Browsing.

The main idea behind Oblivious HTTP is to block the receiving server from linking requests to specific clients. Google published a blog post on the Chrome Security blog that offers additional information on the implementation in Chrome and server infrastructure.

Closing Words

Real-time checks should improve protection for users without impacting their privacy. Other browsers who also use Safe Browsing may not be affected by the change if they download Safe Browsing lists instead of using real-time checks.

Those who use Chrome but do not want these real-time checks can turn off Safe Browsing

Safe Browsing is a core security feature of Google’s Chrome web browser. The technology is also used by other browsers, often indirectly to improve privacy.

Google revealed in a new post on the Chromium blog that it has optimized Safe Browsing checks in the Chrome web browser.

The changes bring a performance boost to Safe Browsing checks thanks to the use of asynchronous checks. Some checks are also reduced to reduce their impact on the page loading time.

Safe Browsing: Asynchronous checks

Safe Browsing checks block pages from loading. This is a security precaution to ensure that malicious content is blocked before it can be loaded by the Chrome browser.

This is usually not a problem for local checks according to Google. Checks on Internet websites, on the other hand, add latency to the loading of the page.

Google Chrome 122 enables asynchronous Safe Browsing checks. This allows sites to load content during checks. Google says that this will reduce page load times in Chrome and improve the overall user experience.

Chrome continues to show a warning page if Safe Browsing determines that a page or one of its resources is problematic.

There is also potential for improving new artificial intelligence and machine learning algorithms “to detect and block more phishing and social engineering attacks” according to Google. These experiments could affect the page loading time further in the past.

Risks associated with the change

Since pages may load while Safe Browsing checks take place, there is a chance of attacks.

Google says that it has evaluated two common attack types and concluded that sufficient mitigations are in place:

• Phishing and social engineering attacks — Phishing sites may load while checks are still ongoing. Google believes that it is unlikely that users will have the time to interact with the site in a way that would impact security. Selecting a password field and typing the password, for instance, should take longer than the Safe Browsing check.
• Browser exploits — Chrome has a local list of sites that attack using browser exploits. Checks continue to be made asynchronously and Google recommends keeping Chrome up to date to block most attacks from being effective.

Sub-resource and PDF checks

Two additional checks are listed by Google that are impacted by the optimizations.

• Sub-resource checks — attacks using sub-resources are declining, according to Google. New protections, including intelligence gathering, threat detection, and Safe Browsing APIs, protect users in real-time without specifically needing to check sub-resources. As a consequence, Google Chrome will no “longer check the URLs of sub-resources with Safe Browsing”.
• PDF download checks — Google reduced the frequency of PDF download checks. PDF documents were used for attacks in the past, but widespread attacks are rare thanks to improvements to Chrome’s PDF viewer. Google notes that most PDF files use links for attacks. These link may open in Chrome, which gives Safe Browsing a chance to block the attack.

Closing Words

Google benefits from the reduction in changes. PDF checks alone reduce Safe Browsing checks “billions of times” each week. The removal of checks may push certain forms of attacks again. Sub-resource attacks may see a revival as malicious actors find new ways to exploit the change.

Chrome users may check the browser’s Safe Browsing preferences under chrome://settings/security. There they find the two main options — standard and enhanced protection — as well as an option to turn off the security feature entirely.