In order to reduce the amount of time threat actors have to attack n-day vulnerabilities and better safeguard end users, Google has accelerated the frequency with which it releases security updates and patches for the Chromium open source code that powers the Chrome web browser.
In comparison to other browsers like Firefox, Microsoft Edge, and Safari, Chrome is projected to control just under 63% of the installed base of web browsers, making it the most widely used method of accessing the internet globally.
According to Amy Ressler of the Chrome Security team, a new milestone version of Chrome currently comes out every four weeks, with updates coming out in between to fix security and “other high impact” vulnerabilities. Currently, there is one update between each milestone release; however, starting with Chrome 116, which became available to select Android users on August 9th, this cadence will build up to one update each week.
According to Ressler, this shouldn’t affect how people actually use or update Chrome, but it will speed up the delivery of security upgrades to susceptible hardware.
As contrast to a zero-day vulnerability, which is a revealed vulnerability without a fix, an n-day vulnerability is best described as a vulnerability for which a patch is now available. Because its code is publicly accessible and transparent, like other open source projects, Chrome is susceptible to n-day exploits. Threat actors can easily take advantage of this openness to develop exploits for brand-new vulnerabilities as they are discovered and patched, and take advantage of these before users can catch up.
To minimize this “patch gap,” Ressler added, “we believe it’s absolutely vital to release security patches as soon as possible.
This alleged patch gap has previously been reduced by prior adjustments to the update cadence. It was 35 days on average before Chrome 77, when Google adopted the old fortnightly stable channel update approach. It has been 15 days so far.
Ressler said: “While we can’t completely eliminate the possibility of n-day exploitation, a weekly Chrome security update cadence allows us to ship security fixes 3.5 days earlier on average, greatly reducing the already brief window for n-day attackers to develop and use an exploit against potential victims and greatly complicating their lives.
Google is now treating all critical and high severity bugs as if they have the potential to be exploited and stepping up its work to triage and patch them, Ressler said, adding that although not all vulnerabilities turn out to be exploited as n-days, it is impossible to predict which ones will be and which ones won’t be.
In this way, said Ressler, Google hopes to expedite the release of critical patches rather than having them sit around in a sort of pre-patch waiting room. Users will also notice a decrease in the frequency of unplanned and unscheduled updates, should an exceptionally critical bug be discovered.
Users of Chrome can assist by monitoring their devices for update notifications and installing the updates as quickly as is practical. It’s important to note that when updating Chrome, the browser saves open tabs and windows as long as you are not using Incognito mode, so there shouldn’t be any concern about interruptions to work.
A policy change at Google cannot affect the regularity with which Microsoft Edge and Opera, other browsers based on Chromium, are updated. It is also significant to emphasize that the policy change only applies to Chrome.
