Google is planning to make security updates for Chrome more frequent in an effort to be more proactive in tackling high-severity vulnerability issues.
As the most popular browser on the internet, this vast user base makes it a big target for hackers looking to exploit security flaws and steal users’ personal data.
However, the crucial Achilles heel in Google’s attempts to protect its users is the open-source Chromium project, which can be used as a browser and shares a lot of code with Chrome (which is based on Chromium, as are some other browsers).
Based on Chromium
The open-source nature of Chromium unfortunately means that Chrome’s source code is available for anyone to see and try to hack. Google also allows for users and developers to test their own ideas and find bugs, and then report them to Google to fix, along with a list of proposed changes by other users which could sometimes be potential bug fixes.
If a nefarious hacker spots such a change being made, for example, but Google developers haven’t yet rolled out the update that includes the fix for the problem, they could exploit it. So, hopefully by making the time period between updates shorter, users can install these fixes much sooner.
Tightening the time between updates
By shortening the time between updates, Google hopes to reduce the time and chances malicious users have to discover and exploit possible ‘zero day’ and ‘n day’ weaknesses (which make up a large chunk of security challenges browser developers face), with the numbers referring to the urgency of the issue.
A ‘zero day’ vulnerability means that a vulnerability has been discovered by bad actors before the developers of the targeted software, is assumed to be actively being taken advantage of, and developers are already behind the curve responding to it. When it’s discovered, it turns into an ‘n day’ vulnerability, signifying that developers have some number ‘n’ days until the next time a software security patch is implemented. Hence, they have ‘n’ days to work out a solution and package it into the next set of updates for the software.
Increasing how often updates and patches are deployed decreases the time interval between discovery of a problem and distribution of the solution. This is sometimes called the ‘patch gap’. With these durations smaller for each security fix, hackers have a shorter period of time to try to find and use these types of flaws. Google hopes that this will make attackers’ lives “much more difficult.”
How Google updates Chrome
At present, Chrome is developed across four versions simultaneously to help minimize the patch gap. Two of them, Canary and Developer (or Dev), are updated nightly and weekly respectively, and are intended for use by developers. Similarly, Chrome Beta is updated every week, but larger milestone updates are every fourth week on that schedule. Canary and Beta users already get bug fixes earlier which allows for testing of the fresh code.
Chrome Stable is the most thoroughly tested version and recommended as a general go-to for most users. It sees updates every four weeks, with the exception of urgent problems that need patching with what is known as a Stable Refresh.
Stable Refreshes happen every two weeks on the Stable channel. For even this most tested and finalised version of Chrome, Google stated that the patch gap was 15 days. It’s this version’s update schedule that is moving to a weekly basis (like that of Chrome Beta), which will make updates happen three and a half days faster. This schedule will begin with version Chrome 116 as of August 8. Google hopes that there will be fewer unplanned updates. Milestone updates will happen every four weeks as well.
Updating your browser
When each of these updates is available, your overflow menu button will indicate this (the three-dot button in the top right of the browser screen), and there will also be prompts on mobile. One aspect of Chrome updates for mobile is that whether or not you receive such a notification may be affected by the phone manufacturer, so it’s worth checking for them on your device by yourself (especially if it’s not a Google phone). Google is further experimenting with how this notification looks like.
This does mean that users will have to close and restart the browser after every patch to finish its install. Google advises in its announcement post that you should immediately update your browser when prompted to. It says to not worry about losing work or closing tabs, as tabs and windows should be saved, and be available for reopening - though we recommend making sure any forms or text boxes are manually saved before you restart.
I think Google is in an interesting position - crowdsourcing problem-solving and solution-building via open-source code can lead to issues being quickly found and fixed. Nonetheless, the merits of open-source development continue to be debated as it presents its own collection of issues.
That said, it’s also responsible for storing sensitive data for the largest browser user base on the internet, and there is no shortage of hostile actors looking to carve out a chunk and sell it to whoever is willing to pay for it.
To me, the merits of the Chromium open-source project and its frequent, consistent updates are compelling, and it’ll be interesting to follow Google’s security balancing act. Still, I know most of us hate having to interrupt whatever we’re doing for updates and people’s preferences can be easily affected by changes like these. Will more prompts to update and restart the web browser make people want to switch? If Google doesn't strike the right balance, that could be an issue, despite its huge market share lead.
