Google is going to release faster updates for users of its Chrome web browser in the interest of better security. Today, Google announced that it will release new security updates for Stable Chrome users every week, starting with this week"s release of Chrome 116 in the Early Stable channel.
In a blog post, Google said that in the past, it has released one security update in between the Stable milestone Chrome releases (called "Stable Refresh"), which happens every four weeks. As with many browsers, Google uses the Chromium open-source code as the basis for Chrome. Google states:
This openness has benefits in testing fixes and discovering bugs, but comes at a cost: bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven’t yet received the fix. This exploitation of a known and patched security issue is referred to as n-day exploitation.
That’s why we believe it’s really important to ship security fixes as soon as possible, to minimize this “patch gap”.
The move to issue weekly security updates should allow Google to close the "patch gap" for Chome compared to the previous schedule of bi-weekly patch releases:
While we can’t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult.
Google says that if a security exploit in Chome is discovered to be used out in the wild, the company will quickly fix and release an unscheduled patch for the browser. However, since it will now release new security updates every week, Google expects these kinds of unscheduled updates to be reduced as well.