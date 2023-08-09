Google has made a significant change to its Google Chrome security updates schedule, transitioning from bi-weekly updates to weekly updates. This adjustment aims to tackle the growing issue of the patch gap, which grants threat actors additional time to exploit n-day and zero-day vulnerabilities.

The implementation of the new schedule will begin with the release of Google Chrome 116, scheduled for today. Google explains that Chromium, an open-source project, allows the source code to be viewed by anyone. This transparency enables the identification of flaws and the contributions of fixes by developers in real time.

While this transparency is beneficial, it also presents a challenge, as advanced threat actors can exploit these vulnerabilities before they reach the widespread stable Chrome releases. Google states that “bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven’t yet received the fix.”

The patch gap refers to the time it takes for a security fix to undergo testing and eventually be released to the general public. Google acknowledged this problem years ago when the average patch gap was 35 days. In 2020, with the release of Chrome 77, the company shifted to bi-weekly updates in an effort to reduce this timeframe.

By transitioning to weekly updates for stable releases, Google aims to further minimize the patch gap and decrease the window of opportunity for n-day exploitation to just one week. This adjustment is a positive step towards enhancing Chrome security.

However, it is important to note that not all n-day exploitation will be prevented. Some vulnerabilities may still be exploited using known techniques. Nonetheless, with the weekly update frequency, active exploitation will be reduced to a maximum of seven days, provided users promptly apply security updates.

The Chrome Security Team emphasizes that all critical and high severity bugs are treated as if they will be exploited, as it is difficult to determine which bugs will be targeted. The team works diligently to ensure prompt bug triage and fixes.

This new update frequency will also reduce the need for unplanned updates, allowing users and system administrators to adhere to a more consistent security maintenance schedule. The vulnerability patch gap poses a significant challenge for Android as well, as n-day flaws have become as dangerous as zero-days. However, Google faces difficulties in controlling the Android ecosystem, as manufacturers often take months to introduce patches into their phone’s operating systems.