Google has changed the Google Chrome security updates schedule from bi-weekly to weekly to address the growing patch gap problem that allows threat actors extra time to exploit published n-day and zero-day flaws.
This new schedule will start with Google Chrome 116, scheduled for release today.
Google explains that Chromium is an open-source project, allowing anyone to view its source code and scrutinize developer discussions, commits, and fixes made by contributors in real time.
These changes, fixes, and security updates are then added to Chrome's development releases (Beta/Canary), where they are tested for stability, performance, or compatibility issues before they can be pushed to the stable Chrome release.
However, this transparency comes with a cost, as it also allows advanced threat actors to identify flaws before fixes reach a massive user base of stable Chrome releases and exploit them in the wild.
"Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven't yet received the fix," reads Google's announcement.
"This exploitation of a known and patched security issue is referred to as n-day exploitation."
The patch gap is the time it takes a security fix to be released for testing and for it to finally be pushed out to the main population in public releases of software.
Google identified the problem years ago when the patch gap averaged 35 days, and in 2020. With the release of Chrome 77, it switched to biweekly updates to try to reduce this number.
With the switch to weekly stable updates, Google further minimizes the patch gap and reduces the window of n-day exploitation opportunity to a single week.
While this is definitely a step in the right direction and will positively affect Chrome security, it's essential to underline that it's not ideal in the sense that it won't stop all n-day exploitation.
Reducing the interval between updates will stop the exploitation of flaws that demand more complex exploitation paths, which in turn require more time to develop.
However, there are some vulnerabilities for which malicious actors can build an effective exploit using known techniques, and these cases will remain a problem.
Even in those cases, though, active exploitation will still be reduced to a maximum of seven days in the worst-case scenario, given that users apply security updates as soon as they become available.
"Not all security bug fixes are used for n-day exploitation. But we don’t know which bugs are exploited in practice, and which aren't, so we treat all critical and high severity bugs as if they will be exploited," explains Chrome Security Team member Amy Ressler.
"A lot of work goes into making sure these bugs get triaged and fixed as soon as possible."
"Rather than having fixes sitting and waiting to be included in the next bi-weekly update, weekly updates will allow us to get important security bug fixes to you sooner, and better protect you and your most sensitive data."
Ultimately, the new update frequency will decrease the need for unplanned updates, enabling users and system administrators to adhere to a more consistent security maintenance schedule.
The vulnerability patch gap has also become a massive problem for Android, with Google recently warning that n-day flaws have become as dangerous as zero-days.
Unfortunately, the Android ecosystem makes it much harder for Google to control, as in many cases, a patch will be released, and it will take manufacturers months to introduce it into their phone's operating systems.
Comments
EndangeredPootisBird - 10 months ago
IMO, security updates for every program, browser and operating system should be forced on the user as soon as they become available, there' just way too many people and businesses getting infected just because they are too lazy to keep their applications and systems up to date.
Hmm888 - 10 months ago
"IMO, security updates for every program, browser and operating system should be forced on the user as soon as they become available, there' just way too many people and businesses getting infected just because they are too lazy to keep their applications and systems up to date."
I guess you don't run Windows 10 or 11?
IMO, if you're too ignorant to know how to use your PC properly, you shouldn't have one.
Lazy IT admins should be fired.
Hmm888 - 10 months ago
Rubbish. Chrome is already bloated with over 1GB of RAM being utilized.
Soon, users are going to need a minimum of 64GB of RAM...and fast RAM.
Mike_Walsh - 10 months ago
"Rubbish. Chrome is already bloated with over 1GB of RAM being utilized.
Soon, users are going to need a minimum of 64GB of RAM...and fast RAM. "
Fair comment. But, going back 2 years, 32 GB was recognised as the amount for tech freaks to aspire to.....totally OTT, and able to cater for every eventuality.
Fast forward to today, and many machines now come with 32 GB as a "standard" option. With the advent of the next-gen DDR5, the stick max has now risen to the point where it's simple enough for most users to "max out" at either 64 GB OR 128 GB, depending on their motherboard.
Technology does NOT stand still. It's a constantly moving target. And the other sticking-point is that as RAM capacities exponentially rise, developers become ever more lazy with their coding. They see all this RAM, and take the view that it's ALL there for them to use.
The days when it was a point of pride to keep coding lean, mean & tight are LONG gone.....