Google to fight hackers with weekly Chrome security updates
Google has changed the Google Chrome security updates schedule from bi-weekly
to weekly to address the growing patch gap problem that allows threat actors extra
time to exploit published n-day and zero-day flaws. This new schedule will start with
Google Chrome 116, scheduled for release today.
Google explains that Chromium is an open-source project, allowing anyone to view its source code and scrutinize developer discussions, commits, and fixes made by contributors in real time. These changes, fixes, and security updates are then added to Chrome's development releases (Beta/Canary), where they are tested for stability, performance, or compatibility issues before they can be pushed to the stable Chrome release. However, this transparency comes with a cost, as it also allows advanced threat actors to identify flaws before fixes reach a massive user base of stable Chrome releases and exploit them in the wild. "Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven't yet received the fix," reads Google's announcement.
"This exploitation of a known and patched security issue is referred to as n-day exploitation." The patch gap is the time it takes a security fix to be released for testing and for it to finally be pushed out to the main population in public releases of software. Google identified the problem years ago when the patch gap averaged 35 days, and in 2020. With the release of Chrome 77, it switched to biweekly updates to try to reduce this number. With the switch to weekly stable updates, Google further minimizes the patch gap and reduces the window of n-day exploitation opportunity to a single week. While this is definitely a step in the right direction and will positively affect Chrome security, it's essential to underline that it's not ideal in the sense that it won't stop all n-day exploitation. Reducing the interval between updates will stop the exploitation of flaws that demand more complex exploitation paths, which in turn require more time to develop.
The vulnerability patch gap has also become a massive problem for Android, with Google recently warning that n-day flaws have become as dangerous as zero-days. Unfortunately, the Android ecosystem makes it much harder for Google to control, as in many cases, a patch will be released, and it will take manufacturers months to introduce it into their phone's operating systems
Cyber Security Analyst