Google is changing the cadence of its releases for Chrome in an effort to reduce the time gap between when a fix for a specific bug lands in the Chromium codebase and when it is available in the Chrome browser stable channel release.
The Chromium open source project is the base on which the Chrome browser, along with several other browsers and apps, is built. Because it’s open source, the code is visible to anyone who wants to have a look, including attackers who might like to get a jump on exploiting vulnerabilities for which there are fixes in the code base that haven’t been deployed to the stable channel yet. Enterprising attackers can dig through the Chromium code to find changes that indicate newly patched vulnerabilities and then develop exploits and target users who don’t update immediately.
Right now, Google releases stable channel updates every two weeks, but beginning with Chrome 116, the company will shift to a weekly stable release schedule. The goal is to shrink the window of time between when the fix for a given bug lands in the Chromium code base and when it is available in the stable Chrome channel.
“When a Chrome security bug is fixed, the fix is landed in the public Chromium source code repository. The fix is then publicly accessible and discoverable. After the patch is landed, individuals across Chrome are working to test and verify the patch, and evaluate security bug fixes for backporting to affected release branches. Security fixes impacting Stable channel then await the next Stable channel update once they have been backported. The time between the patch being landed and shipped in a Stable channel update is the patch gap,” Amy Ressler of the Chrome security team, said in a post Tuesday.
“While we can’t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult.”
This change could have a significant effect on the security of a huge chunk of Internet users. Chrome is by far the most popular browser and shipping security fixes to users on a more frequent basis gives them a better chance of defending themselves against ambitious adversaries. Of course, not all users update their browsers immediately, or even regularly. But the ones who do will have a better defensive posture.
“Not all security bug fixes are used for n-day exploitation. But we don’t know which bugs are exploited in practice, and which aren't, so we treat all critical and high severity bugs as if they will be exploited. A lot of work goes into making sure these bugs get triaged and fixed as soon as possible. Rather than having fixes sitting and waiting to be included in the next bi-weekly update, weekly updates will allow us to get important security bug fixes to you sooner, and better protect you and your most sensitive data,” Ressler said.
In enterprise environments, IT teams should encourage users to update Chrome as soon as practical, given work limitations.