Jamf Blog
Man's fingers crossed behind his back as he shakes on a deal: Chrome forced updates can hide malicious actors
February 9, 2021 by Matthias Wollnik

Forcing Browser Updates

The exploitation of Chrome and Edge's zero-day vulnerabilities has sent home the message that when vendors publish patches it is critical for organizations to roll them out as efficiently as possible.

Attackers exploiting Chrome and Edge zero-day vulnerabilities

In the last few weeks, multiple security researchers reported that they’ve been under attack. In many of these cases, the attacker was exploiting zero-day vulnerabilities in Google Chrome or Microsoft Edge (which is based on Chromium). Microsoft patched Edge in January, which may have been related, and Google recently released Chrome 88.0.4324.150. There are few details on the specifics around these patches outside of the designation of them fixing “heap buffer overflows” and “memory corruption vulnerabilities.”

As we’ve talked about a number of times, when vendors publish these kinds of patches it is critical for organizations to roll them out as efficiently as possible. So let’s talk about how to roll out these patches to your Mac infrastructure.

We’ll use the Google Chrome update as our example.

(Optional) Step 0: Managing Chrome through the Cloud

Google provides central configuration and policy management through a cloud service to its customers. Using this will greatly simplify a number of management operations such as configuration, reporting and extension management for Chrome. You can get all the details in the Chrome Browser Cloud Management guide.

Google also provides full guidance on how to deploy or enroll Chrome installations into their management infrastructure with Jamf Pro: https://support.google.com/chrome/a/answer/9771882.

Step 1: Enabling auto-update

Google Chrome has the ability to automatically update itself, so we’ll leverage that first. If you’re using the Chrome cloud management infrastructure, you can easily manipulate settings there. Alternatively, you can use a script with Jamf Pro such as Ryan Ball’s chrome-enable-autoupdates as discussed on Jamf Nation.

The primary settings you are looking to setup are UpdatePolicies for com.google.Chrome and the RelaunchNotification* settings.

Alternatively, you could uninstall and reinstall any existing Google Chrome installations via a script and Jamf Pro if you don’t wish to enable auto-update.

Step 2: Restart Chrome

Google Chrome will update itself in the background, but the new version will not take effect until after the user restarts Chrome. To help push the user to restart, the RelaunchNotification* settings can be used to have Chrome automatically prompt the user to restart the app. In some cases, such as when an organization needs to roll out a security fix right now, it may not be appropriate to let the user defer the restart. In those cases, you can use Jamf Pro to prompt the user to save their work now.

Jamf Pro can then push out a script that identifies any running Chrome instances, terminates them, and relaunches Chrome. You could do this via multiple files and processes payloads, but we generally would suggest a single payload with a script to accomplish the Chrome restart.

Step 3: Watch for future patches

You’ll keep seeing this message from us over and over: Patch fast and patch often. It is always a best practice to push out security fixes as efficiently as possible. Vendors will release new fixes to both applications and operating systems. Make sure you have a process ready to roll these fixes out in your environment.

Keep your devices updated and safe with Jamf Pro.

Photo of Matthias Wollnik
Matthias Wollnik
Jamf
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.