Cloud Security, Patch/Configuration Management, Vulnerability Management

Google Chrome users take at least one month to update, as zero-days lurk

Researchers reported Monday that the vast majority of Chrome users take close to a month to install a new patch – something that’s a cause for concern amid an increase in the number of zero-day attacks on Chrome browsers in the past year.

In a blog posted by Menlo Security, researchers found that while Chrome 87 was released on Nov. 17, 2020, it took at least a month for 84% of customers to update their browsers. The same trend was observed with Chrome 88, which was released on Jan. 19, 2021, but also took a month until 68% of customers updated.

Vinay Pidathala, director of security research at Menlo Security, said the researchers pointed out the lag, because of 10 zero-days actively exploiting browsers in the wild during 2020, four were directed at Chrome.

“We find that zero-day exploits can work against any application,” Pidathala said. “Attackers target applications that have global and widespread adoption. We think that going forward we will see more zero days against Chrome because of its market dominance."

And starting January 2020, Microsoft’s Edge browser became based on Chromium, Pidathala added. Developing an exploit for Chrome now gives the attackers a much larger attack surface to go after.

According to the Menlo research, finance and banking, government, construction and oil and gas were the early adopters with North America and Singapore having the most customers updating as soon as the patch was released.

Hank Schless, senior manager, security solutions at Lookout, said in addition to the CVEs spelled out in Menlo’s blog, one of the four targeted Chrome for Android. Schless added that because Chrome comes loaded on every Android device as the default browser, there’s widespread risk across the Android user base. Even if the device owner doesn’t actually use Chrome as their default browser, having an outdated version of the app leaves people vulnerable, Schless said.   

“Our findings also support Menlo’s point that there’s lag time in users updating their apps,” Schless. “Some 24 hours after the updated version of Chrome was available on the PlayStore after the Android CVE was reported, we observed that roughly half of Android users had updated their app. Those who haven’t updated the app either don’t have automatic updates turned on, or may have a device that’s too old to support the updated software.” 

Security pros need to enforce mobile vulnerability and patch management policies that block access to corporate resources if there’s a vulnerable app present on the device, Schless said. Doing so will force end users to update their app if they want to be fully productive from their smartphone or tablet. It also makes mobile devices part of a company’s existing patch management workflow, which ensures future coverage of exploitable vulnerabilities in the future.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.