Google speeds up security update frequency for Chrome

Google has moved to speed up the frequency it pushes out security updates and patches for the Chromium open source code underpinning the Chrome web browser, with the intent of minimising the time threat actors have to exploit n-day vulnerabilities and better protect end-users.

Chrome is estimated to account for just under 63% of the installed base of web browsers, making it the most popular means to access the web around the world, beating out the likes of Firefox, Microsoft Edge and Safari.

Currently, explained Amy Ressler of the Chrome Security team, a new milestone release for Chrome ships every four weeks – in between which updates are shipped to address security and “other high impact” bugs. These are currently scheduled at the rate of one update in between every milestone release, but starting from Chrome 116 – which came out on 9 August for some Android users – this schedule will ramp up to the rate of one update a week.

Ressler said this should not change how users use or update Chrome in practice, but does mean that security updates will reach vulnerable devices quicker.

An n-day vulnerability is best defined as a disclosed vulnerability for which a patch is available, as opposed to a zero-day, which is a disclosed vulnerability without a patch. Like other open source projects, Chrome is vulnerable to n-day exploits because its code is openly available and transparent, so threat actors can easily take advantage of this openness to develop exploits for new vulnerabilities as they are found and patched, and take advantage of these before users can catch up.

“That’s why we believe it’s really important to ship security fixes as soon as possible, to minimise this ‘patch gap’,” said Ressler.

Previous updates to the cadence of updates has already helped bring down this so-called patch gap. Prior to Chrome 77, when Google implemented the previous fortnightly stable channel update policy, it stood at 35 days on average. It currently stands at 15 days.

“While we can’t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult,” said Ressler.

Although not all vulnerabilities turn out to be exploited as n-days, Ressler added that Google cannot tell which ones will be and which ones won’t be, so it is now treating all critical and high severity bugs as if they have the potential to be exploited, and double down on its work to triage and patch them.

In this way, said Ressler, Google hopes that rather than having fixes hanging around in a kind of pre-patch waiting room, this will help get important patches out sooner rather than later, while users will also notice a decrease in the frequency of unplanned and unscheduled updates, should an exceptionally critical bug be found.

Chrome users can help by keeping an eye open for update notifications on their devices and deploying the updates as soon as is practical – note that when updating Chrome, the browser saves open tabs and windows as long as you are not using Incognito mode, so there should be no need to worry about interrupting work.

It is also important to note that the policy change is only applicable to Chrome – other browsers based on Chromium include Microsoft Edge and Opera – and the frequency with which these are updated cannot be affected by a policy change at Google.