Google will get faster at releasing Chrome security patches

Chrome Security team cuts Chrome’s patch gap by half

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Google Chromewill soon start receiving security updates more quickly as security engineers atGooglehave successfully cut down the browser’s “patch gap” from 33 days to just 15 days.

The term patch gap refers to the amount of time it takes from when a vulnerability is fixed in an open source library to when it is patched in software which uses that same library. Patch gaps are considered a major security risk as many software applications rely on the sameopen sourcecomponents.

Once a security bug is fixed in an open source library, details about the bug become public as most open source projects are public and pride themselves on transparency. However, by revealing these details, hackers can then use them to craft exploits and launch attacks against software that has not yet been patched.

Many software makers, such as Google and evenMicrosoft, use a fixed release schedule to update their products. During the time between patches, hackers can leverage the patch gap to provide themselves with an attack window that most software projects will have a hard time defending against.

Chrome patch gap

Google’s Chrome web browser is one of many software projects that is affected by a patch gap because it relies on a high number of open source components including PDFium and the V8 JavaScript engine. Last year, security researchers from Exodus Intelligence pointed out two occasions where the large patch gap in Chrome could be exploited by attackers.

The Chrome Security team took note and in Chrome’s recently publishedquarterly security summary for Q4 2019, engineers at Google revealed that they had discovered a way to reduce the browser’s patch gap, saying:

“We continue to work on the “patch gap”, where security bug fixes are posted in our open-source code repository but then take some time before they are released as a Chrome stable update. We now make regular refresh releases every two weeks, containing the latest severe security fixes. This has brought down the median “patch gap” from 33 days in Chrome 76 to 15 days in Chrome 78, and we continue to work on improving it.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Basically Google has decided to release security updates more frequently in an effort to reduce Chrome’s patch gap. Since Chrome’ssilent update mechanismis turned on by default, users will receive security updates more often without having to apply patches to the browser themselves.

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time