Google is increasing the frequency of its Chrome security updates as it fights to reduce the number of attacks targeting users of the world’s most widely deployed browser.
This month Google will begin shipping updates weekly rather than every four weeks, as it has done since 2020. The company said the move will reduce the browser’s “patch gap” — the window of opportunity threat actors have to exploit both zero-day and known vulnerabilities before they are addressed.
Google outlined the change to its Chrome security regime in an Aug. 8 post on its Security Blog.
“Rather than having fixes sitting and waiting to be included in the next bi-weekly update, weekly updates will allow us to get important security bug fixes to you sooner,” Chrome security senior technical program manager Amy Ressler said in the post.
Chrome — like Opera, Microsoft’s Edge, and several other browsers — uses the open-source Chromium code base, meaning code changes, including bug fixes, can be viewed by anyone.
“This openness has benefits in testing fixes and discovering bugs, but comes at a cost: bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven’t yet received the fix,” Ressler said.
Once a Chrome security bug is fixed, it is “landed” in the public Chromium source code repository before being tested and verified, and then shipped in the next update. The patch gap is the delay between landing and shipping.
Google said prior to the release of version 77 of Chrome in 2020, when it began shipping patches every four weeks, the patch gap averaged 35 days. Since then, the gap had been reduced to around 15 days.
“While we can’t fully remove the potential for n-day (known vulnerability) exploitation, a weekly Chrome security update cadence allows us to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult,” Ressler said.
Tech companies increasing responses to fix security vulnerabilities
In the past Google has deviated from its regular update cycle to ship emergency patches when threat actors are known to be exploiting zero-day vulnerabilities in the wild, as happened in April this year.
Ressler said the move to weekly security updates was expected to result in less need to ship emergency patches. The change in cadence begins this month with the release of version 116 of Chrome.
In a similar move designed to speed up the response time to zero-day vulnerabilities, earlier this year Apple introduced Rapid Security Response updates for its iOS, iPadOS, and macOS operating systems. The new updates are a means of shipping important security fixes in-between regular updates.
Google has similar issues to tackle with its Android mobile operating system but has admitted that the structure of the Android ecosystem, where the OS is used by multiple device manufacturers, makes reducing patch gaps difficult.
“These gaps between upstream vendors and downstream manufacturers allow n-days — vulnerabilities that are publicly known — to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device,” Google security researcher Maddie Stone wrote in a blog post last month.
“While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android.”