Google cuts Chrome 'patch gap' in half, from 33 to 15 days

Future plans include cutting the patch gap further, which might mean that Google will have to release Chrome security fixes on a weekly basis.
Written by Catalin Cimpanu, Contributor
Google Chrome

Google security engineers said last week they have successfully cut down the "patch gap" in Google Chrome from 33 days to only 15 days.

The term "patch gap" refers to the time it takes from when a security bug is fixed in an open source library to when the same fix lands in software that uses that particular library.

In today's software landscape where many apps rely on open source components, the "patch gap" is considered a major security risk.

The reason is because when a security bug is fixed in an open source library, details about that bug become public, primarily due to the public nature and openess of most open source projects.

Hackers can then use details about these security flaws to craft exploits and launch attacks against software that relies on the vulnerable component, before the software maker has a chance to release a patch.

If the software maker is on a fixed release schedule, with updates coming out every few weeks or months, the patch gap can provide hackers with an attack window that most software projects can't deal with.

The Chrome web browser is one of these projects that are affected by a patch gap because it uses a large number of open source components -- from the PDFium PDF-viewing library to the V8 JavaScript engine, just to name a few.

In 2019, security researchers from Exodus Intelligence have highlighted on two ocassions that Chrome's large patch gap can be exploited by attackers.

First in April, and then in September, Exodus researchers developed proof-of-concept exploit code for security bugs fixed in the V8 JavaScript engine that had yet to make their way downstream into the Chrome codebase.

Google took notice

The good news for Chrome users is that the Exodus team's research on the topic and subsequent warnings did not go unheard with the Chrome Security team.

In Chrome's recently published quarterly security summary for Q4 2019, Google engineers said they've worked to reduce Chrome's patch gap.

"We now make regular refresh releases every two weeks, containing the latest severe security fixes," said Andrew R. Whalley, a member of the Chrome Security team.

"This has brought down the median 'patch gap' from 33 days in Chrome 76 to 15 days in Chrome 78, and we continue to work on improving it," he added.

Chrome security updates every week?

As Whalley explained, Google's answer to reducing Chrome's patch gap was to release security fixes more often. With Google planning to cut the patch gap even more this most likely means that we might soon see Chrome security fixes released on a weekly basis, as Google engineers push critical security fixes from the open source libraries to users' Chrome browsers.

Since Chrome features a silent update mechanism that's turned on by default for all users, in most cases, Chrome end users won't have to do take any action to receive the fixes.

Similar issues with "patch gapping" also impact Google's second major software project, the Android OS, which also relies on a large number of open source components. However, delivering security updates for Android is ... a mess, to put it midly.

All the Chromium-based browsers

Editorial standards