Last week, Adrian Taylor of the Chrome Security team explained: “why there seems to be an increase in CVE exploits in the wild” in a Google security blog post. Several factors are to blame for this growing trend in exploit visibility. Google’s Project Zero team also tracks zero-day vulnerabilities in all identified browsers, including WebKit, IE, Flash, Firefox, and Chrome.
From 2019 to 2021, these exploits on Chrome have grown significantly. But from 2015 to 2018, Chrome recorded no zero-day vulnerabilities. The Chrome Security team explained that while this does not mean that there are no browser exploits targeting the Chromium kernel at all, there may be a sampling bias in the available data due to the lack of a full inductive attempt.
So why do people still feel that there are more loopholes? Chrome Security attributes this to four possible reasons – (1) vendor transparency, (2) evolution of attacker focus, (3) completion of the site isolation project, and (4) the complexity of software bugs.
- First of all, many browser vendors are changing their old practices and actively disclosing details of such exploits through their own channels.
- Second, the attacker’s focus has shifted. With Microsoft Edge switching to the Chromium rendering engine in early 2020, attackers are also naturally targeting a wider audience.
- Third, an increase in bugs, or stemming from a recently completed multi-year site isolation project — which allows a bug to appear without causing too much damage to the big picture.
- Fourth, based on the simple fact that software has bugs, we must admit that a small fraction of them can be exploited by attackers. As browsers and operating systems become more complex, more errors are inevitable.
To sum up, the number of vulnerabilities is no longer directly equated with security risks. Even so, the Chrome team guarantees that they will work hard to detect and fix bugs before release.
The “patch window” has been significantly reduced for n-day attacks that exploit known vulnerabilities (35 days for Chrome / 76-18 days on average). In addition, the Chrome team is also working to make attacks more complex and expensive to prevent them from happening.
Among the specific improvements that are being implemented are increased site isolation, especially for Android, the V8 heap sandbox, the MiraclePtr/Scan project, new components such as memory-safe programming languages, and mitigations after being exploited in the wild.
Finally, for ordinary users, the easiest way to deal with it is to perform the action as soon as they see the Chrome update reminder.