Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.
The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.
As of Wednesday, the brand has rolled out Google Chrome 116, which includes the new schedule. Previously a bi-weekly update, Chrome will now be treated to weekly security updates.
With the open-source nature of Chromium, anyone is able to access the Chrome browser source code, “submit changes for review, and see the changes made by anyone else, even security bug fixes,” Google said on its security blog.
Typically, community members from Google’s Canary and Beta channels notify the brand of various issues of stability, compatibility, or performance that can be addressed before stable updates are sent to the public. This openness is double-edged; however, as bad actors have the same access as good-faith users, allowing them real-time details on vulnerabilities before updates are deployed to a wide range of public users. If taken advantage of, such an attack is called an n-day exploitation.
This is why Google hopes shortening the time between security updates can assist in deterring nefarious users from gaining information about vulnerabilities in Chromium code. Usually, the time between security updates is used for testing prior to a public release. Google first observed this to be an issue in 2020 when its patch gap between updates was approximately 35 days. It then shifted to a biweekly update schedule with the release of Chrome 77.
The brand noted this latest schedule still won’t deter all n-day exploits but can minimize them further. In practice, more frequent security updates offer less time for bad actors to exploit flaws that require detailed paths and more development time. Over time, there is also the likelihood that bad actors will find ways to create faster exploits.
There is also the possibility that the frequency of security updates could eventually truncate even more, with patches being deployed as soon as they’re available.
Google stated it now tackles “all critical and high severity bugs as if they will be exploited.”
Even so, the brand has come to see n-day exploits as just as dangerous as zero-day exploits, which are vulnerabilities that were previously unknown and therefore unaddressed with a patch or update.
Google also recently announced its plans to enable separate Chrome browser support for ChromeOS as of the ChromeOS 116 release. This update would especially benefit Chromebooks, extending the netbooks far longer than their typical software lifespan. The ChromeOS 116 release is scheduled for August 22.