Beginning this week, Google will push security updates weekly to its Chrome browser—a further effort by the company to address “patch gap,” or the time between when an exploit becomes known and its fix goes live. Would-be attackers are now cut off earlier from making use of just-discovered (aka zero-day) and already known (aka n-day) issues.
As spotted by Bleeping Computer, this scheduling change coincides with the launch of Google Chrome 116. Previously, Google released security patches bi-weekly. High-priority exploits will continue to have fixes issued immediately, they won’t be held for the weekly release cycle.
Google attributes its motivation partially to the transparency of the code Chrome is based on—Chromium, which is an open-source project. Not only is its source code public, but so are all related discussions and planned updates. More sophisticated hackers can use the information to figure out vulnerabilities they can exploit.
By shrinking the period between security patches from the previous average of 15 days to seven, attackers have a much smaller window of time to work within. However, in its announcement explaining the new scheduling, Google warns that more frequent updates doesn’t solve the patch gap issue and the threat of n-day exploits, it’s only reduced. The company last narrowed the time between its regular security updates in 2020, when the average patch gap lasted 35 days.
Users can make the most of this new security policy by keeping an eye out for Chrome update notifications—whenever a new update is ready, you should see a button appear in the upper right-hand corner of the app. Save any work before clicking on it to apply the patch and relaunch Chrome. That goes especially so if you’re Incognito mode, since those windows and tabs won’t get preserved when the browser restarts.