Update nbow warning for 2 billion Chrome users<\/p>\n
NurPhoto via Getty Images<\/p>\n
Republished on May 18 with update now deployed to most users and warnings on the critical step all users must take to make sure their browsers are secure.<\/p>\n
Google has warned that Chrome is open to attack, and has rushed out a fix for a vulnerability that enables a hacker to steal login credentials and bypass multi-factor authentication. It\u2019s a critical issue, and it\u2019s imperative it\u2019s fixed immediately. The U.S. government has now mandated all federal staff to update by June 5. Whether you\u2019re a home or enterprise user, you should do the same.<\/p>\n
America\u2019s cyber defense agency has told all federal agency staff to \u201capply mitigations per vendor instructions\u2026 or discontinue use of the product if mitigations are unavailable.\u201d That means update inside the next 21 days or stop using your browser until you do.<\/p>\n
ForbesGoogle Is Deleting All Your Location Data\u2014Do Not Miss DeadlineBy Zak Doffman<\/a><\/p>\n CISA\u2019s<\/a> formal mandate only applies to federal employees, but its remit extends to all organizations, \u201cto help [them]<\/p>\n better manage vulnerabilities and keep pace with threat activity.\u201d Given the nature of this threat, users should act now. CISA issues plenty of such mandates, but given Chrome\u2019s install base and that this threat is now in the public domain, it really is critical for you to follow suit.<\/p>\n Although the binding operational directive only applies to federal staff, CISA \u201cstrongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of\u202fCatalog vulnerabilities\u202fas part of their vulnerability management.\u201d<\/p>\n As I warned yesterday, Google\u2019s fix for CVE-2025-4664<\/a> came with a warning<\/a> \u201cof reports that an exploit exists in the wild.\u201d This was flagged on X by @slonser_<\/a>, after discovering that \u201ca technique that\u2019s probably not widely known in the community\u201d enabled a query parameter takeover that could exploit sensitive data included in the string. \u201cIn OAuth flows, this might lead to an Account Takeover\u201d if that query parameter is stolen.<\/p>\n This means stealing the text string from Chrome that includes security session credentials after you\u2019ve logged into a service. It enables an attacker to replicate the secure session on their own device.<\/p>\n Per SC Media<\/a>, \u201cits inclusion in the KEV catalog indicates the attackers have attempted to misuse the flaw in the wild.\u201d But it\u2019s unclear whether the flagged exploit is the POC raised or there are actual attacks underway with bad actors having identified the vulnerability independently. It doesn\u2019t matter now. This is in the public domain. We\u2019re now in the period of maximum risk as attackers strike before browsers are patched.\u201d<\/p>\n Cybersecurity News<\/a> warns \u201cthe vulnerability stems from an incorrect handle provided under unspecified circumstances in Chrome\u2019s Mojo Inter-Process Communication (IPC) layer, potentially leading to unauthorized code execution or sandbox escape. The vulnerability poses significant risks, including unauthorized data leakage across web origins\u2026 Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.\u201d<\/p>\n Check your Chrome browser for the notification an update has been downloaded<\/a> and you need to relaunch to ensure it installs. You\u2019re looking for Chrome version 136.0.7103.113\/.114. Do this as soon as you can \u2014 don\u2019t let dozens of open tabs hold you back. With this vulnerability, it is imperative to patch now.<\/p>\n The same update warning also applies to Microsoft Edge. \u201cThis CVE was assigned by Chrome,\u201d the Windows-maker has confirmed<\/a>, but given \u201cMicrosoft Edge (Chromium-based) ingests Chromium,\u201d that fix also \u201caddresses this vulnerability.\u201d<\/p>\n There\u2019s a good explainer on this vulnerability now available courtesy of Cyber-AppSec<\/a> on Medium. \u201cThis flaw affects Chrome\u2019s Loader component and could allow attackers to steal sensitive data from other websites \u2014 all through a crafty little trick involving the Link header.\u201d While \u201cmost browsers don\u2019t pay much attention to Link headers on these kinds of requests,\u201d Chrome does, which enables the attacker to trick the browser into sending your session security info included in a full URL to their own server.<\/p>\n That attack is now in the public domain. While Google\u2019s warning advised this urgent update \u201cwill roll out over the coming days\/weeks,\u201d it should be available to you now \u2014 most users have it. It\u2019s not surprising it has been deployed quickly, given the short space of time between the public disclosure and the update, and CISA\u2019s update mandate. But automatically downloading the software is not enough. As the Chrome ecosystem is being warned (1<\/a>,2<\/a>), \u201call Chrome users must ‘relaunch\u2019 their browser now.”<\/p>\n