Google Chrome will soon start receiving security updates more quickly as security engineers at Google have successfully cut down the browser’s “patch gap” from 33 days to just 15 days.
The term patch gap refers to the amount of time it takes from when a vulnerability is fixed in an open source library to when it is patched in software which uses that same library. Patch gaps are considered a major security risk as many software applications rely on the same open source components.
Once a security bug is fixed in an open source library, details about the bug become public as most open source projects are public and pride themselves on transparency. However, by revealing these details, hackers can then use them to craft exploits and launch attacks against software that has not yet been patched.
Many software makers, such as Google and even Microsoft, use a fixed release schedule to update their products. During the time between patches, hackers can leverage the patch gap to provide themselves with an attack window that most software projects will have a hard time defending against.
Chrome patch gap
Google’s Chrome web browser is one of many software projects that is affected by a patch gap because it relies on a high number of open source components including PDFium and the V8 JavaScript engine. Last year, security researchers from Exodus Intelligence pointed out two occasions where the large patch gap in Chrome could be exploited by attackers.
The Chrome Security team took note and in Chrome’s recently published quarterly security summary for Q4 2019, engineers at Google revealed that they had discovered a way to reduce the browser’s patch gap, saying:
“We continue to work on the “patch gap”, where security bug fixes are posted in our open-source code repository but then take some time before they are released as a Chrome stable update. We now make regular refresh releases every two weeks, containing the latest severe security fixes. This has brought down the median “patch gap” from 33 days in Chrome 76 to 15 days in Chrome 78, and we continue to work on improving it.”
Basically Google has decided to release security updates more frequently in an effort to reduce Chrome’s patch gap. Since Chrome’s silent update mechanism is turned on by default, users will receive security updates more often without having to apply patches to the browser themselves.
Via ZDNet