Connect with us

Hi, what are you looking for?



Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?

Why are there so many vulnerabilities in Chrome? Is it realistically safe to use? Can Google do anything to make the web browser safer?

Chrome zero-day CVE-2023-5217 exploited

Like all major applications, Google’s Chrome suffers from vulnerabilities. During 2022, SecurityWeek reported on 456 vulnerabilities (averaging 38 per month), including nine zero-days. The high number of flaws needing to be patched poses a simple question: is Chrome safe to use?

This high rate of vulnerability disclosures and patches has continued into 2023. Chrome 109 patched 17 and six vulnerabilities in January. Chrome 110 patched 15 vulnerabilities in February; version 111 patched 40 and 8 in March; and version 112 patched 16 in April. April also saw a patch for the second zero-day vulnerability of 2023. Chrome 113 patched 15 vulnerabilities in May, followed by a further 12 vulnerabilities. June started with the third of 2023’s zero-day patches, in Chrome 114, and this was followed by a further 5 patches.

The list is so long it almost becomes boringly repetitive – but it will undoubtedly continue growing through the rest of the year and beyond. The questions raised, however, are not boring. Why are there so many vulnerabilities? Is Chrome realistically safe to use? Can Google do anything to make the product safer? Can users do anything to increase their safety? SecurityWeek talked to Tal Zamir, the CTO at Tel Aviv, Israel-based Perception Point (a detection and response vendor covering major threat surfaces including browsers).

The primary reason for the number of vulnerabilities is basically just statistics. It’s a combination of the size of the codebase, the attraction of the target, and the number of people who use it. “Over the years, Chrome has grown into a huge codebase – almost an operating system like Windows in its size, because it has so many features under the hood,” said Zamir. 

“It might look simple – you think, hey, it’s just a browser application. But in practice, it’s a monster. It’s an application that people use most of the time, most of the day, both in the enterprise and in the consumer space. This is what we use for most of our activities online,” he added.

The larger the codebase, the greater the number of vulnerabilities. That’s a reality of computing. The more an application is used, the greater the number of attackers looking for ways to attack it. This will include both criminals and nation states and is again inescapable. It’s worth noting that according to Statcounter (May 2023), Chrome had a 62.87% share of the global browser market. Safari was second with 20.7%, while Edge came in third with just 5.32%.

We cannot expect Google to do more to secure its code. This again is an inescapable feature of business life. Google would have to reduce both the quantity and speed with which it introduces new features, and that goes against the grain of ensuring and perhaps increasing market share. Microsoft has always been in catch-up mode for browsers, but now there is a full-fledged battle over the best (that is, most profitable) integration of AI into their products.

Advertisement. Scroll to continue reading.

“Microsoft is giving Google a real fight,” said Zamir. “This is especially in the enterprise space but also for consumers who are tempted to go with the Microsoft bundles. I predict that it will become even harder for Google to fight and keep its first place in the browser space. In this fight, it will add new features and try to innovate even faster. When you do this, you typically put security as a secondary consideration. Speed is the need – you need to be in front of the users with shiny new things, and security might lag. It doesn’t mean that Google will neglect security. It definitely invests in the security of Chrome – but I think security will be secondary to the new features.”

Where Google cannot be criticized is over its reactive approach to Chrome security. The policy is to seek (by its own research teams and bug bounty program), and then remedy and patch vulnerabilities before they can be abused by attackers.

This is a reactive rather than proactive approach. While Google itself is largely forced by business realities to be reactive on security – and most companies are in the same position – the user can take a more proactive approach. This inevitably involves the addition of specialist security products, such as that from Perception Point, to protect the application and its use.

This raises one further question – if small security firms can protect Chrome, why cannot Google (one of the largest developers in the world) develop similar protection inside Chrome? “Google definitely could,” said Zamir, “if it was willing to invest many years of engineering.” 

Technically, it is possible, but economically it is infeasible. We come back to the ‘shiny new thing’ image. For Chrome, the shiny new things are the additional features that make it attractive to users. Invisibly embedded complex security controls do not qualify as shiny new things, so will always be pushed down the priority line. But for a third party security vendor, security is the shiny thing.

This is the reality of modern cybersecurity. You cannot assume that any application is secure or that the app vendor will keep you safe. All users must take their own responsibility for the security of the products they use. Google Chrome is the unlucky example we chose for this discussion – but the principles will apply to almost all commercial applications.

Related: Google Attempts to Explain Surge in Chrome Zero-Day Exploitation

Related: Google Pays $45,000 for High-Severity Vulnerabilities Found in Chrome

Related: Researcher Says Google Paid $100k Bug Bounty for Smart Speaker Vulnerabilities

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.