Google Warns over 3 Billion Chrome Users: It's Time for an Update

Google Warns over 3 Billion Chrome Users: It's Time for an Update

Update, Dec. 21, 2024: This report, first published Dec. 19, now includes new details about an experimental Chrome security feature and advice on update actions for organizations running any Chrome or Chromium-based browsers.

In hot pursuit of an urgent Chrome browser update comes another security patch for billions of users across numerous operating systems. The alert level remains high, yet the number of susceptibilities differs: Google has validated four critical vulnerabilities; here's what you need to know and do.

Exigent Chrome Browser Security Patch for All Users: What You Should Know

Google has verified that the Chrome browser is being updated yet again, with the rollout expected to begin soon. The cause? A tally of four critical vulnerabilities, which combined have earned the researchers who discovered them a significant $75,000 in bug bounties.

The four vulnerabilities that Google has validated are:

• CVE-2024-12692: A type confusion flaw in Chrome's V8 JavaScript engine rendering.
• CVE-2024-12693: An out-of-bounds memory access flaw in Chrome's V8 JavaScript engine rendering.
• CVE-2024-12694: A use-after-free bug in Chrome's browser compositing function.
• CVE-2024-12695: An out-of-bounds write flaw in the Chrome V8 JavaScript engine rendering.

"Access to bug details and links might remain limited until the majority of users have been updated with a fix," stated Prudhvikumar Bommana from the Google Chrome security team. "We will also preserve limitations if the bug exists in a third-party library that other projects still depend on, but haven't yet addressed."

Safeguarding Your Google Chrome Update

Chrome has been updated to the following versions:

• 131.0.6778.204/.205 for Windows and Mac
• 131.0.6778.204 for Linux
• 131.0.6778.200 for Android

The more than 3 billion users of Google Chrome who may be affected by these vulnerabilities need to prioritize their protection with urgency. If you're among those billions, chances are high that you are impacted. Follow these steps to safeguard yourself:

1. Access the Help > About option in your Google Chrome menu to initiate an automatic security update download.
2. Restart your Google Chrome browser after the update has been installed, or the protection will not activate, and you will remain vulnerable to attack.
3. Repeat step one to ensure that the Google Chrome update is installed and activated, and that your protection is now in place against these new threats.

Chrome updates automatically, but this relies on users restarting the client, which many people with numerous open tabs dislike doing. So, please adhere to these steps now.

Chrome Patch Management Advice for Organizations

In the wake of the latest Google Chrome web browser security update addressing a slew of critical, high-severity memory vulnerabilities, Alex Vovk, CEO and co-founder of Action1, an endpoint and patch management company, has offered the following advice for impacted organizations:

1. Ensure that all organizational systems using the Google Chrome web browser are updated to the latest version, which can be done via remote management tools.
2. Configurate browser settings using group policy or management tools to empowerm automatic updates for Chrome on all endpoints as the default.
3. Implement advanced endpoint protection solutions, such as behavioral detection and intrusion prevention systems, to detect and prevent browser vulnerabilities from being exploited.
4. Conduct regular security assessments and penetration tests, which include browser-based vulnerabilities in their scope.

"Encourage employee awareness about the importance of keeping software up to date, including Google Chrome, as well as other web browsers based on the Chromium engine," Vovk said, "and provide guidance on how to recognize update prompts and initiate manual updates when necessary."

Chrome Canary Embraces New AI-Powered Scam Protection

According to a Dec. 20 report at Bleeping Computer, Google is introducing a new scam protection feature for Chrome users. The AI-powered feature was discovered by X user Leopeva64, who shared how he spotted a new code flag in the latest Chrome Canary experimental build. This flag, Leopeva64 said, activated a feature called "Client Side Detection Brand and Intent for Scam Detection" that uses large language models to analyze web pages on your device, looking for any malicious intent or brand impersonation. The official description of the Google Chrome code flag stated that the feature "Enables on-device LLM output on pages to inquire about the brand and intent of the page." In simpler terms, this AI defense checks for scams in real-time as you browse the web.

It's understood that the feature will support Chrome users on Linux, Mac, and Windows operating systems. What remains unclear, though, is how this protection will be presented to users, but it's likely that a type of warning pop-up notification will be involved to inform users of potential scam risks on the sites in question, similar to the way that unsafe site warnings are already used for not-secure or potentially dangerous sites.

Bleeping Computer's Mayank Parmar proposed an example scenario where a Chrome user might land on a falsified Microsoft tech support site designed to install malware or persuade you to dial an expensive helpdesk for fake security assistance. Parmar explained, "Chrome's AI could scrutinize the endorsed brand or linguistic style on the site." He continued, "It could then show a warning, urging you to steer clear of the site and refrain from disclosing personal data."

As reported in comments on the Chromium source code forum, Leopeva64 suggested that this warning feature may only activate when the enhanced protection mode featuring artificial intelligence has been enabled in Chrome. To enable this functionality, Leopeva64 pointed to a specific flag, which when activated, switches on the new AI-powered enhanced protection feature.

1. To ensure the highest level of security in Google Chrome, users running the browser on Windows, Mac, or Linux operating systems should install the latest Chrome 131 update.
2. Organizations with Google Chrome or Chromium-based browsers should prioritize updating their systems using remote management tools, as advised by Alex Vovk, CEO of Action1.
3. Chrome's new security update includes a patch for four critical vulnerabilities, specifically CVE-2024-12692, CVE-2024-12693, CVE-2024-12694, and CVE-2024-12695.
4. Google is planning to introduce a new scam protection feature for Chrome users, leveraging AI-powered technology to analyze web pages in real-time and detect potential malicious intent or brand impersonation.
5. Chrome browser users can expect to see warning pop-ups notifying them of potential scam risks on certain websites, similar to the way unsafe site warnings are currently used.

Read also: