Update, Dec. 21, 2024: This story, originally published Dec. 19, now includes new details of an experimental Chrome security feature and advice on update action for organizations running any Chrome or Chromium-powered browsers.
Hot on the heels of an emergency update to Google's Chrome web browser comes yet another security update for billions of users across multiple operating system platforms. This time, the update urgency remains the same, but the number of vulnerabilities does not: four high-rated vulnerabilities have been confirmed by Google; here's what you need to know and do.
Google has confirmed that the Chrome web browser is being updated again, an update that will roll out in the coming days and weeks. The reason? A total of four high-rated security vulnerabilities which between them have earned the security researchers who discovered them a whopping $75,000 in hacker bounties.
The four vulnerabilities that Google has confirmed are:
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Prudhvikumar Bommana from the Google Chrome security team said, "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."
Chrome has been updated to the following versions:
The more than 3 billion users of Google Chrome who are potentially impacted by these security vulnerabilities need to make sure that they are protected as soon as possible. If you are in that number, and the chances are high that you are, then you need to kickstart the updating process and then activate the updated browser itself to enable the protection to be in place. Google does automatically update the Chrome browser, but this relies on users restarting the client, which lots of people with lots of open tabs don't like doing. So, please follow these steps now:
Head for the Help|About option in your Google Chrome menu to kickstart an automatic security update download.
Restart your Google Chrome browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.
Repeat step one to ensure that the Google Chrome update is installed and activated, and that you are now fully protected against these latest security threats.
In light of the latest Google Chrome web browser security update addressing a number of serious, high-severity memory vulnerabilities, Alex Vovk, CEO and co-founder of Action1, an endpoint and patch management company, has offered the following advice for organizations that are impacted:
"Communicate with employees about the importance of keeping software up to date," including the likes of Google Chrome and other web browser clients using the Chromium engine, Vovk said, "and provide guidance on how to recognize update prompts and initiate manual updates when necessary."
A Dec. 20 report at Bleeping Computer has confirmed that Google is adding a new scam protection for users of the Chrome web browser to help catch scams before they can catch you. The AI-powered newly discovered scam protection feature was uncovered by X user Leopeva64, who posted how he had spotted a new code flag in the latest Chrome Canary experimental build. This flag, Leopeva64 said, enabled a feature called "Client Side Detection Brand and Intent for Scam Detection" that employs a large language model to analyze web pages, on your device, looking for any malicious intent or brand impersonation. The official description of the Google Chrome code flag stated that the function: "Enables on device LLM output on pages to inquire for brand and intent of the page." In other words, this AI-protection checks for these scams in real-time as you browse the web.
It is understood that the feature will support Chrome users using the browser client on Linux, Mac and Windows operating system platforms. What is unknown at this point is precisely how the protection will be displayed to the user, but I suspect it's almost certain that some kind of warning pop-up notification will be involved to alert the user to the potential scam risk of the site in question, in much the same the way that unsafe site warnings do already for not secure or potentially dangerous sites.
Bleeping Computer's Mayank Parmar suggested that this could be, by way of example, the Chrome user visiting a Microsoft technical support page that is actually a fake designed to install malware or get you to call a telephone number to be charged for unnecessary security support. "Chrome's AI could analyze the promoted brand or language used on the page," Parmar said, and "display a warning alerting you to avoid interacting with the page or sharing personal information."
Leopeva64 said that it appears, according to comments on the Chromium source code forum, that the feature may only work when the AI-powered enhanced protection function has been enabled for Chrome. The flag Leopeva64 described is "the one that actually activates the new AI-powered enhanced protection" mode.