If you are a Windows user with Chrome installed on your PC, then this latest warning will impact you—it’s critical you update your browser as soon as you can…
Another critical Chrome update has just been issued
Updated 04/29; originally published 04/26.
Another Chrome security update has just been issued, with the Stable channel updated to 124.0.6367.78/.79. This release includes a critical fix to the underlying graphics engine of the type that has allowed attackers to execute code on target machines in the past—albeit no news yet as to any exploitation this time around.
The update also includes two high-severity memory fixes—the kind typically seen in such updates. Google has acknowledged that such memory vulnerabilities in its core engine are the most frequently discovered and exploited. As usual, there is no further information “until a majority of users are updated with a fix.”
Given that Google has designated the first fix—essentially a vulnerability to potential code manipulation—as critical, it seems highly likely it’s a credible threat. And once the fix becomes public, it’s important that users update as soon as they can—the clock is ticking for any exploitation.
Usually, a critical fix might have been the biggest Chrome news of the week, but not this time. The other news is that the death of Chrome’s dreaded tracking cookies has been delayed once again—this time into early 2025, at least.
The issue is Google’s need to balance the privacy of its users with the seemingly fair treatment of its advertisers, especially when it essentially plays both gamekeeper (as owner of the browser) and poacher (as the world’s largest ad machine).
“We recognize that there are ongoing challenges related to reconciling divergent feedback from the industry, regulators and developers,” Google said in a post mid-week, “and will continue to engage closely with the entire ecosystem.”
That’s a critical update of an entirely different kind.
The update comes as Google’s ongoing engagement with the UK’s Competition and Markets Authority (CMA) tries to carve a path through this messy situation. “We will not complete third-party cookie deprecation during the second half of Q4,” Google confirmed. “Assuming we can reach an agreement, we envision proceeding with third-party cookie deprecation starting early next year.”
Google is in something of a bind here, given its unique role in the industry. As web users become ever more privacy savvy, the gap between where Chrome is today and Apple’s Safari remains too wide. Chrome is an excellent browser, and its users rightly want to see it line up more closely with the alternatives.
Google seems to agree—notwithstanding its awkward Incognito Mode stumble—but it needs to find a compromise that doesn’t kill its ad model as well as those cookies.
Meanwhile, the bigger open question is around AI, of course, and just what this will mean for browser searching and advertising in the coming years. All told, by the time these cookies finally disappear, we may be in new territory anyway.
04/29 update: To be fair to Google, Chrome’s regular security updates—whether addressing vulnerabilities discovered by external researchers or by Google itself, front-end an ongoing program to improve the security of the world’s most popular browser.
As a recent example, the forthcoming Device Bound Session Credentials (DBSC) update should materially resolve the plague of session cookie theft, “by binding authentication sessions to the device... to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.”
But these security advances are not always smooth running—and another such update, Chrome’s foray into post-quantum cryptography (PQC), seems to have hit a teething issue.
Put at its simplest, PQC aims to protect today’s data from tomorrow’s more advanced threats—the theory being that while today’s defenses are largely good enough, new quantum computing advances will likely break the best cryptography available today.
And while Google points out that “it’s believed that quantum computers that can break modern classical cryptography won’t arrive for 5, 10, possibly even 50 years from now,” the issue is the threat from “Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves.”
Google says that “the sooner we can update TLS to use quantum-resistant session keys, the sooner we can protect user network traffic against future quantum cryptanalysis,” and that “we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success.”
But as Bleeping Computer reported over the weekend, “some Google Chrome users report having issues connecting to websites, servers, and firewalls after Chrome 124 was released last week with the new quantum-resistant X25519Kyber768 encapsulation mechanism enabled by default... The issue also affects security appliances, firewalls, networking middleware, and various network devices from multiple vendors (e.g., Fortinet, SonicWall, Palo Alto Networks, AWS).”
For now, “affected Google Chrome users can mitigate the issue by going to chrome://flags/#enable-tls13-kyber and disabling the TLS 1.3 hybridized Kyber support in Chrome,” but the option to disable PQC defenses will be removed once the technology is considered stable.
PQC hit the headlines earlier this year, with Apple’s announcement that it was updating iMessage to protect against the same threat. And while Apple presented this as a competitive advantage for iMessage over alternatives, the reality is that such technology is likely to become much more standard over the next few years.
But such tech is still fairly deep inside the rabbit hole, and you can expect many more unexpected issues as wider rollouts begin.
