In context: Chrome revolutionized browser development with its accelerated update and release cycle. Now, Google has announced another potentially disruptive change aimed at enhancing users' web security. This shift is expected to bring about more work for developers of third-party, Chromium-based browsers.
Beginning with Chrome 116, set for release on August 15, Google will roll out a new update for its free web browser every week. Mountain View has chosen to expedite Chrome's release cycle primarily for security purposes, with each update addressing critical security vulnerabilities and other high-impact bugs.
This weekly release rhythm will not affect the delivery of monthly "milestone" releases for Chrome, as clarified by Google on its Security Blog. The company is essentially intensifying the "Stable Refresh" schedule, which used to bring a security update between two distinct milestones, now transitioning to a practical weekly release cadence.
Google stated that instituting a weekly Stable channel update is essential due to Chrome's foundation on the Chromium open-source project. When a security bug is rectified within the Chromium codebase, the fix becomes visible and accessible to all, including cybercriminals. This broader visibility provides malicious actors with an enhanced opportunity to scrutinize and potentially capitalize on the recently addressed vulnerability.
The practice of exploiting a known and patched security vulnerability is referred to as "n-day exploitation," as explained by Google. Users of the Canary and Beta channels receive bug fixes in advance, allowing them to test the new code for potential issues related to reliability and performance. Recognizing the significance of minimizing the "patch gap" between updates, Google has decided to implement a weekly security update cycle for stable users.
Google was already thinking about reducing the patch gap in 2020, when the company initiated the release of new Stable channel (security) updates on a biweekly basis between two milestone Chrome versions.
According to Google, Chrome will soon have a significantly reduced window for n-day exploitation by malicious entities. However, it's important to note that other Chromium-based browsers may not necessarily adopt the same approach. Google cannot control the update frequency of third-party browsers, which may exhibit varying patch gaps despite being built upon the same Chromium engine.