Chrome Introduces Weekly Security Patches
Security improvements are being made to Google Chrome. Google said today that Chrome will transition to a new method for security patch updates, with updates being made available every week. The Google browser now receives significant changes, known as “milestone” updates, every four weeks (it used to be six). In these upgrades, the version number is changed from one to the next, for instance, from version 100 to 101. Between these significant improvements, Chrome used to receive “Stable Refresh” updates every two weeks.
These “Stable Refresh” upgrades were made to fix critical bugs and security flaws. The method is currently being changed by Google such that these updates will now happen every week in between the main upgrades. Version 116 of Google Chrome, which will be accessible on desktop and mobile platforms, will mark the beginning of this transition. This change is being made to ensure that security updates are distributed to users more quickly.
The open-source project Chromium, from which Chrome is descended, has a special quality: anyone can view and read its source code. This entails that anyone can examine the code, make changes, and observe changes made by others, including patches for security flaws. This openness has a potential downside even if it is helpful for testing and finding faults. Malicious actors might use the knowledge about these changes at their disposal to create attacks on users who haven’t yet gotten the required updates.
This kind of exploiting a security hole that has already been patched is referred to as “n-day exploitation.”
Google claims that the procedure goes as follows:
- Chrome has a security flaw that has been found and addressed.
- The public can then obtain the fix because it has been included in the public Chromium source code repository.
- Teams within the Chrome community test and validate the fix’s efficacy.
- Earlier versions that were impacted by the security flaw may receive a backport of the fix if it is determined to be successful.
- The Stable channel’s following scheduled update will include the security fix.
The “patch gap,” or the amount of time between the fix being added to the repository and it being included in a Stable channel update, is decreased once the update is prepared and distributed as part of the Stable channel update.
The delay between patches is currently around 15 days. When compared to the 35-day gap that existed before to the switch to bi-weekly patch updates in 2020, this represents a major improvement. The window of opportunity for attackers using n-day exploitation will be smaller thanks to the weekly patch updates, which Google expects to make security fixes available on average 3.5 days earlier. It is anticipated that this adjustment will make life more difficult for potential assailants.
The likelihood of unscheduled upgrades brought on by the discovery of exploits in the wild decreasing is another benefit of this new schedule. Google aims to lessen the need for unforeseen changes by releasing stable updates once a week. To strengthen the browser’s security protections, Google Chrome has switched to weekly security patch releases. Google wants to prevent potential attacks and give consumers a safer surfing experience by releasing solutions more quickly.