When you read a news story with Google, Chrome, and security in the headline, it will likely be about a zero-day or other critical vulnerability. This time is no exception, but likely not in the way you are thinking. Google has just made a surprise announcement that will give all three billion Chrome browser users better protection from zero-day vulnerabilities and n-day exploits.
What Is An N-Day Exploit?
In an 8 August announcement, Amy Ressler from the Chrome security team at Google explains that an n-day exploit takes advantage of something known as the patch gap. The Chromium project is an open-source one, meaning anyone can take a peep at the source code and, notably for the issue at hand, see changes that have been made, changes that include fixes for security vulnerabilities.
Developers and Beta users will get those fixes ahead of any public release, which is a good thing as it allows for the discovery of any usability issues that may have been missed. It’s also a bad thing as it creates an opportunity for cybercriminals and other threat actors to take advantage of this visibility to develop exploits for the vulnerability in question.
When the patch is rolled out to the public, those actors can deploy the exploit against any users who have not yet applied the patch. “This exploitation of a known and patched security issue” Ressler says, “is referred to as n-day exploitation.”
The Patch Gap
Addressing the patch gap is vital to prevent n-day exploits from hitting Chrome browser users. Ressler explains the patch gap as the “time between the patch being landed and shipped in a stable channel update.” By landed, Ressler refers to when a Chrome security issue is fixed, and the patch is made accessible and discoverable in the source code repository.
With the release of Chrome 77, which was three years ago now, stable channel updates moved to a two-week cycle. This reduced the patch gap from a previous 35-day average to a 15-day one. Starting immediately with the newly released Chrome 116, those stable channel updates will now be every week.
Chrome Starts Releasing Weekly Security Updates
While the so-called milestone Chrome releases will remain on a four-week cycle, security releases will now happen weekly. Updates will continue to work the same way, with automatic distribution and installation and the requirement to restart your browser to activate them. What is changing is the protection you get as an end user of the Google Chrome web browser. Those all-important security patches will arrive more quickly, meaning there is a much smaller window of opportunity for cybercriminals and other threat actors to exploit known vulnerabilities.
What this isn’t, however, is a security panacea. There will remain a patch gap; there will still be n-day exploits, and there will still be successful attacks and compromises. “While we can’t fully remove the potential for n-day exploitation,” Ressler says, “a weekly Chrome security update cadence allows us to ship security fixes 3.5 days sooner on average.” This, Ressler continues, will significantly reduce the already small window of n-day attacker opportunity to “develop and use an exploit against potential victims.”
As far as zero-day vulnerabilities are concerned, which have led to out-of-band or ‘emergency’ updates to Chrome, these will still have the highest priority for getting patches out to all users. By bringing in this weekly update cadence, Google hopes that the number of such emergency releases will be reduced, although it’s unlikely they will dry up altogether.
New Ways To Update Chrome
Ressler also confirmed that a new method of displaying update notifications had been rolled out, by way of a ‘stable experimentation’ test, to 1% of users updating to Chrome 116. These notifications will appear in the browser toolbar and inform users when an update is available, as well as when the browser is ready to relaunch. Power users who leave many tabs open can put off updating the browser due to fears of losing them all. However, Ressler has pointed out that when Chrome relaunches to update, “your open tabs and windows are saved and Chrome re-opens them after restart.” Unless you are in incognito mode, when all bets are off, of course.
All of these changes only apply to Google Chrome and not other web browsers that use the Chromium engine, it should be noted.
Read the full article here