Like all major applications, Google’s Chrome suffers from vulnerabilities. During 2022, SecurityWeek reported on 456 vulnerabilities (averaging 38 per month), including nine zero-days. The high number of flaws needing to be patched poses a simple question: is Chrome safe to use?
This high rate of vulnerability disclosures and patches has continued into 2023. Chrome 109 patched 17 and six vulnerabilities in January. Chrome 110 patched 15 vulnerabilities in February; version 111 patched 40 and 8 in March; and version 112 patched 16 in April. April also saw a patch for the second zero-day vulnerability of 2023. Chrome 113 patched 15 vulnerabilities in May, followed by a further 12 vulnerabilities. June started with the third of 2023’s zero-day patches, in Chrome 114, and this was followed by a further 5 patches.
The list is so long it almost becomes boringly repetitive – but it will undoubtedly continue growing through the rest of the year and beyond. The questions raised, however, are not boring. Why are there so many vulnerabilities? Is Chrome realistically safe to use? Can Google do anything to make the product safer? Can users do anything to increase their safety? SecurityWeek talked to Tal Zamir, the CTO at Tel Aviv, Israel-based Perception Point (a detection and response vendor covering major threat surfaces including browsers).
The primary reason for the number of vulnerabilities is basically just statistics. It’s a combination of the size of the codebase, the attraction of the target, and the number of people who use it. “Over the years, Chrome has grown into a huge codebase – almost an operating system like Windows in its size, because it has so many features under the hood,” said Zamir.
“It might look simple – you think, hey, it’s just a browser application. But in practice, it’s a monster. It’s an application that people use most of the time, most of the day, both in the enterprise and in the consumer space. This is what we use for most of our activities online,” he added.
The larger the codebase, the greater the number of vulnerabilities. That’s a reality of computing. The more an application is used, the greater the number of attackers looking for ways to attack it. This will include both criminals and nation states and is again inescapable. It’s worth noting that according to Statcounter (May 2023), Chrome had a 62.87% share of the global browser market. Safari was second with 20.7%, while Edge came in third with just 5.32%.
We cannot expect Google to do more to secure its code. This again is an inescapable feature of business life. Google would have to reduce both the quantity and speed with which it introduces new features, and that goes against the grain of ensuring and perhaps increasing market share. Microsoft has always been in catch-up mode for browsers, but now there is a full-fledged battle over the best (that is, most profitable) integration of AI into their products.
“Microsoft is giving Google a real fight,” said Zamir. “This is especially in the enterprise space but also for consumers who are tempted to go with the Microsoft bundles. I predict that it will become even harder for Google to fight and keep its first place in the browser space. In this fight, it will add new features and try to innovate even faster. When you do this, you typically put security as a secondary consideration. Speed is the need – you need to be in front of the users with shiny new things, and security might lag. It doesn’t mean that Google will neglect security. It definitely invests in the security of Chrome – but I think security will be secondary to the new features.”
Where Google cannot be criticized is over its reactive approach to Chrome security. The policy is to seek (by its own research teams and bug bounty program), and then remedy and patch vulnerabilities before they can be abused by attackers.
This is a reactive rather than proactive approach. While Google itself is largely forced by business realities to be reactive on security – and most companies are in the same position – the user can take a more proactive approach. This inevitably involves the addition of specialist security products, such as that from Perception Point, to protect the application and its use.
This raises one further question – if small security firms can protect Chrome, why cannot Google (one of the largest developers in the world) develop similar protection inside Chrome? “Google definitely could,” said Zamir, “if it was willing to invest many years of engineering.”
Technically, it is possible, but economically it is infeasible. We come back to the ‘shiny new thing’ image. For Chrome, the shiny new things are the additional features that make it attractive to users. Invisibly embedded complex security controls do not qualify as shiny new things, so will always be pushed down the priority line. But for a third party security vendor, security is the shiny thing.
This is the reality of modern cybersecurity. You cannot assume that any application is secure or that the app vendor will keep you safe. All users must take their own responsibility for the security of the products they use. Google Chrome is the unlucky example we chose for this discussion – but the principles will apply to almost all commercial applications.
Related: Google Attempts to Explain Surge in Chrome Zero-Day Exploitation
Related: Google Pays $45,000 for High-Severity Vulnerabilities Found in Chrome
Related: Researcher Says Google Paid $100k Bug Bounty for Smart Speaker Vulnerabilities
