Google has changed the Google Chrome security updates schedule from bi-weekly to weekly to address the growing patch gap problem that allows threat actors extra time to exploit published n-day and zero-day flaws.
This new schedule will start with Google Chrome 116, which was released on the 9th August.
Google explains that Chromium is an open-source project, allowing anyone to view its source code and scrutinize developer discussions, commits, and fixes made by contributors in real time.
These changes, fixes, and security updates are then added to Chrome’s development releases (Beta/Canary), where they are tested for stability, performance, or compatibility issues before they can be pushed to the stable Chrome release.
However, this transparency comes with a cost, as it also allows advanced threat actors to identify flaws before fixes reach a massive user base of stable Chrome releases and exploit them in the wild.
“Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven’t yet received the fix,” reads Google’s announcement.
“This exploitation of a known and patched security issue is referred to as n-day exploitation.”
The patch gap is the time it takes a security fix to be released for testing and for it to finally be pushed out to the main population in public releases of software.
Google identified the problem years ago when the patch gap averaged 35 days, and in 2020. With the release of Chrome 77, it switched to biweekly updates to try to reduce this number.
With the switch to weekly stable updates, Google further minimizes the patch gap and reduces the window of n-day exploitation opportunity to a single week.
While this is definitely a step in the right direction and will positively affect Chrome security, it’s essential to underline that it’s not ideal in the sense that it won’t stop all n-day exploitation.