ALERT: Update Google Chrome to fix zero-day vulnerability
Monday, May 13, 2024
This message is intended for U-M IT staff who are responsible for university devices running the Google Chrome web browser. It will also be of interest to individuals who have Chrome installed on their own devices.
Summary
Google has released security updates to address a high-severity, zero-day vulnerability in Chrome.
Problem
The vulnerability is a use-after-free bug, which can lead to a number of consequences, ranging from a crash to remote code execution.
Threats
According to Google, an exploit for this vulnerability exists in the wild.
Affected Systems
- Google Chrome versions prior to 124.0.6367.201/.202 for Windows and macOS
- Google Chrome versions prior to 124.0.6367.201 for Linux
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Chrome on MiWorkspace machines is set up to auto update, but all users should take action to apply the update as soon as possible. To begin using the new version:
- Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
- Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
Chrome on MiWorkspace machines is set up to auto update. We advise users to also set their personal devices to auto update Chrome. Because automatic updates to Chrome normally happen in the background when you close and reopen Chrome, we recommend all users take the follow action as soon as possible on personal or MiWorkspace devices:
- Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
- Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Exploited Chrome Zero-Day Patched by Google (Securityweek Network, 5/10/24)
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (The Hacker News, 5/10/24)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (Help Net Security, 5/10/24)
- CVE-2024-4671 (MITRE, 5/9/2024)