The Chromium underpinnings of Google Chrome and Microsoft Edge have seen more in-the-wild “zero day” bugs as of late. Google today explained what’s behind that browser trend, as well as what security features Chrome has in place to counter it.
Data compiled by Google’s Project Zero team — including a detailed spreadsheet — shows that zero days targeting Chrome have increased since 2019. The Chrome Security team points to four main reasons for this trend from increased vendor transparency to how “browsers increasingly mirror the complexity of operating systems” with more capabilities, like accessing hardware.
Another big reason is how attackers are now targeting browsers directly following the deprecation of Flash. Chromium is specifically in the crosshairs since it now underpins both Chrome and Microsoft Edge, thus allowing bugs to target more users. The last reason Google offers is how “some attacks that could previously be accomplished with a single bug now require multiple bugs.”
With Chrome’s multiyear Site Isolation project largely complete, a single bug is almost never sufficient to do anything really bad. Attackers often need to chain at least two bugs: first, to compromise the renderer process, and second, to jump into the privileged Chrome browser process or directly into the device operating system. Sometimes multiple bugs are needed to achieve one or both of these steps.
Looking ahead, Google wants to combat n-day attacks from bugs that are already patched and therefore visible in open-source code repositories, but can still be used because people have not yet updated Chrome. Its advice to end users and IT departments alike is installing updates as soon as possible.
We have greatly reduced our “patch gap” from 35 days in Chrome 76 to an average of 18 days in subsequent milestones, and we expect this to reduce slightly further with Chrome’s faster release cycle.
Other ongoing efforts include strengthening Site Isolation — especially on Android — and adding more layers of security that require additional chained bugs to be successful. This requires long-term engineering efforts that might require performance trade-offs.
The full blog post makes for an interesting read.
More on Chrome:
- Chrome OS 99 rolling out: Faster desk creation, improved palm rejection & Nearby Share
- Chrome for Mac achieves highest Speedometer score to date, beating Safari
- Here’s the full Google Chrome browser running on Fuchsia [Gallery]
FTC: We use income earning auto affiliate links. More.