[German]Short addendum from the last few days. Both Google had to provide the Chrome browser and Microsoft had to provide the Chromium-based Edge browser with an urgent security update. This is due to security vulnerabilities that have probably been exploited by threat actors in the wild. I have also received two reader reports about problems when switching to the new Chrome/Edge 137. Here is a brief summary of these issues.
Chrome security update
On June 2, 2025 there was an update to the Google Chrome browser for all operating systems that closed the vulnerability CVE-2025-5419. Clement Lecigne and Benoît Sevens from the Google Threat Analysis Group (TAG) discovered this vulnerability on May 27, 2025.
It is a read and write vulnerability in Chrome's V8 JavaScript engine. This allows a remote attacker to corrupt memory and potentially manipulate execution via an HTML page. Attackers could exploit this vulnerability to retrieve sensitive data or execute arbitrary code and crash the user's computer. The Register pointed this out in this article.
The relevant entry can be found on the Google blog. The stable channel has been updated to Chrome 137.0.7151.68/.69 for Windows and Mac and to 137.0.7151.68 for Linux. There were also app updates for Android and iOS. The Extended Stable Channel was also updated to version 136.0.7103.156 for Windows and Mac on June 3, 2025 according to this post. The update should have taken place automatically.
Emergency patch for Edge
German blog reader Bernie had also pointed out an emergency patch for Microsoft Edge on June 3, 2025 to version 137.0.3296.62 in the discussion area of the blog on June 4, 2024. According to the security advisories, CVE-2025-5419 has been closed. The browsers should be updated automatically. The Edge can also be downloaded here if required.
WebView2 runtime updated
Bernie also referred to the Microsoft Update Catalog, where the Edge WebView2 Runtime is also offered. In this context, the note that WebView2 has been a system component of Windows since November 2024. I never mentioned it in the blog, but Bernie had pointed this out in the discussion area of the blog on November 23, 2024 and wrote "Microsoft Edge WebView2 Runtime now a system component!".
As an IT admin, Bernie had reinstalled the company PCs via the UEM solution used and packaged the Microsoft Edge browser and Edge WebView2 Runtime. The aim was to ensure that both components were up to date. He then noticed that the Microsoft Edge WebView2 Runtime was no longer displayed in the list of installed software.
After a web search, he came across the German article Microsoft Edge WebView2 Runtime – Installer Bug? [Update] from deskmodder.de. There you will find the note that the "Microsoft Edge WebView2 Runtime is no longer displayed in the list of installed apps in the Windows settings because it is a persistent system component." This has probably been the case since Edge version 131.0.2903.48 (November 14, 2024).
Bernie described a workaround in his comment (to undo this). It is possible to undo the change via GPO using the following RegKey:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView] "SystemComponent"=dword:00000000
The Edge WebView2 Runtime is then also displayed again under the installed programs. I do not know whether this is still possible.
Bug in Chrome/Edge 137
The browser version for Chrome and Edge is currently changing from 136.x to 137.x. This may cause a lot of trouble. I've come across two issues that I'll post here.
Trend Micro Endpoint issues with Chrome/Edge 137
Bernie had already pointed out to the advisory Trend Micro Endpoint Issue with Chrome/Edge Browser Version 137, that say:
Trend Micro is aware of a compatibility issue between the User Mode Hooking (UMH) component of several Trend Micro endpoint solutions and the early release of Chrome Browser version 137.0.7151.41.
The HTTPS protection of the Web Reputation Service (WRS) is not working properly. Customers are advised to postpone the upgrade to Chrome version 137.0.7151.41.
Edge/Chrome Version 137 UserDataDir GPO
German blog reader Nico R. contacted me by email on 5.6.2025 and wrote that there was probably a bug (or a feature) from Google and Microsoft in the Chrome and Edge browsers. As of Edge/Chrome version 137, the GPO option UserDataDir for the browsers no longer works for network drives.
In his corporate environment, this means that extensions, for example, no longer work. IT uses the option of roaming via network path so that employees always have their Edge/Chrome settings when changing devices.
Placing these options in the standard roaming path, e.g. ${roaming_app_data}\xxx, is not possible in the environment, as server-stored profiles are no longer used. Only browser configurations should still be stored in the HomeShare path in the network. But this no longer works in the browser versions mentioned. The following instruction:
\\sharename\benutzer\${user_name}\edge\benutzerdaten
no longer works. Even a drive mapping (n:\edge\user data) no longer works. He came across this after hours of troubleshooting and tried it with several computers and "played through" all active GPOs.
If Chrome or Edge is updated from 136.x to 137.x, the extensions are "defective" (see screenshot above). The following error entries, saying, that an extension has been possibly manipulated, are displayed in the Edge add-on store.
And then further error messages appear, which are documented in the following screenshots (thanks to Nico for the hint, may help others).
The German texts says that the extension has been damaged and will be deactivated.
