Google has changed the Google Chrome security updates schedule from bi-weekly to weekly to address the growing patch gap problem that allows threat actors extra time to exploit published n-day and zero-day flaws.
This new schedule will start with Google Chrome 116, scheduled for release today.
Google explains that Chromium is an open-source project, allowing anyone to view its source code and scrutinize developer discussions, commits, and fixes made by contributors in real time.
These changes, fixes, and security updates are then added to Chrome’s development releases (Beta/Canary), where they are tested for stability, performance, or compatibility issues before they can be pushed to the stable Chrome release.
However, this transparency comes with a cost, as it also allows advanced threat actors to identify flaws before fixes reach a massive user base of stable Chrome releases and exploit them in the wild.
“Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven’t yet received the fix,” reads Google’s announcement.
“This exploitation of a known and patched security issue is referred to as n-day exploitation.”
The patch gap is the time it takes a security fix to be released for testing and for it to finally be pushed out to the main population in public releases of software.
Google identified the problem years ago when the patch gap averaged 35 days, and in 2020. With the release of Chrome 77, it switched to biweekly updates to try to reduce this number.
With the switch to weekly stable updates, Google further minimizes the patch gap and reduces the window of n-day exploitation opportunity to a single week.
While this is definitely a step in the right direction and will positively affect Chrome security, it’s essential to underline that it’s not ideal in the sense that it won’t stop all n-day exploitation.
Reducing the interval between updates will stop the exploitation of flaws that demand more complex exploitation paths, which in turn require more time to develop.
However, there are some vulnerabilities for which malicious actors can build an effective exploit using known techniques, and these cases will remain a problem.
Even in those cases, though, active exploitation will still be reduced to a maximum of seven days in the worst-case scenario, given that users apply security updates as soon as they become available.
“Not all security bug fixes are used for n-day exploitation. But we don’t know which bugs are exploited in practice, and which aren’t, so we treat all critical and high severity bugs as if they will be exploited,” explains Chrome Security Team member Amy Ressler.
“A lot of work goes into making sure these bugs get triaged and fixed as soon as possible.”
“Rather than having fixes sitting and waiting to be included in the next bi-weekly update, weekly updates will allow us to get important security bug fixes to you sooner, and better protect you and your most sensitive data.”
Ultimately, the new update frequency will decrease the need for unplanned updates, enabling users and system administrators to adhere to a more consistent security maintenance schedule.
The vulnerability patch gap has also become a massive problem for Android, with Google recently warning that n-day flaws have become as dangerous as zero-days.
Unfortunately, the Android ecosystem makes it much harder for Google to control, as in many cases, a patch will be released, and it will take manufacturers months to introduce it into their phone’s operating systems.