The Chromium underpinnings of Google Chrome and Microsoft Edge have seen more in-the-wild “zero day” bugs as of late. Google today explained what’s behind that browser trend, as well as what security features Chrome has in place to counter it.

Data compiled by Google’s Project Zero team — including a detailed spreadsheet — shows that zero days targeting Chrome have increased since 2019. The Chrome Security team points to four main reasons for this trend from increased vendor transparency to how “browsers increasingly mirror the complexity of operating systems” with more capabilities, like accessing hardware.  

Another big reason is how attackers are now targeting browsers directly following the deprecation of Flash. Chromium is specifically in the crosshairs since it now underpins both Chrome and Microsoft Edge, thus allowing bugs to target more users. The last reason Google offers is how “some attacks that could previously be accomplished with a single bug now require multiple bugs.”

For example: 

With Chrome’s multiyear Site Isolation project largely complete, a single bug is almost never sufficient to do anything really bad. Attackers often need to chain at least two bugs: first, to compromise the renderer process, and second, to jump into the privileged Chrome browser process or directly into the device operating system. Sometimes multiple bugs are needed to achieve one or both of these steps.

Looking ahead, Google wants to combat n-day attacks from bugs that are already patched and therefore visible in open-source code repositories, but can still be used because people have not yet updated Chrome. Its advice to end users and IT departments alike is installing updates as soon as possible.

We have greatly reduced our “patch gap” from 35 days in Chrome 76 to an average of 18 days in subsequent milestones, and we expect this to reduce slightly further with Chrome’s faster release cycle.

Other ongoing efforts include strengthening Site Isolation — especially on Android — and adding more layers of security that require additional chained bugs to be successful. This requires long-term engineering efforts that might require performance trade-offs. 

The full blog post makes for an interesting read.

More on Chrome:

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com