One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8367400 |
| Date de publication | 2023-08-08 11:59:04 (vue: 2023-08-08 18:06:35) |
| Titre | Une mise à jour des mises à jour de la sécurité Chrome & # 8211;Expédition des correctifs de sécurité à vous plus rapidement An update on Chrome Security updates – shipping security fixes to you faster |
| Texte | Posted by Amy Ressler, Chrome Security Team To get security fixes to you faster, starting now in Chrome 116, Chrome is shipping weekly Stable channel updates. Chrome ships a new milestone release every four weeks. In between those major releases, we ship updates to address security and other high impact bugs. We currently schedule one of these Stable channel updates (or “Stable Refresh”) between each milestone. Starting in Chrome 116, Stable updates will be released every week between milestones. This should not change how you use or update Chrome, nor is the frequency of milestone releases changing, but it does mean security fixes will get to you faster. Reducing the Patch Gap Chromium is the open source project which powers Chrome and many other browsers. Anyone can view the source code, submit changes for review, and see the changes made by anyone else, even security bug fixes. Users of our Canary (and Beta) channels receive those fixes and can sometimes give us early warning of unexpected stability, compatibility, or performance problems in advance of the fix reaching the Stable channel. This openness has benefits in testing fixes and discovering bugs, but comes at a cost: bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven\'t yet received the fix. This exploitation of a known and patched security issue is referred to as n-day exploitation. That\'s why we believe it\'s really important to ship security fixes as soon as possible, to minimize this “patch gap”. When a Chrome security bug is fixed, the fix is landed in the public Chromium source code repository. The fix is then publicly accessible and discoverable. After the patch is landed, individuals across Chrome are working to test and verify the patch, and evaluate security bug fixes for backporting to affected release branches. Security fixes impacting Stable channel then await the next Stable channel update once they have been backported. The time between the patch being landed and shipped in a Stable channel update is the patch gap. Chrome began releasing Stable channel updates every two weeks in 2020, with Chrome 77, as a way to help reduce the patch gap. Before Chrome 77, our patch gap averaged 35 days. Since moving the biweekly release cadence, the patch gap has been reduced to around 15 days. The switch to weekly updates allows us to ship security fixes even faster, and further reduce the patch gap. While we can\'t fully remove the potential for n-day exploitation, a weekly Chrome security update cadence allows up to ship security fixes 3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult. Getting Fixes to You Faster Not all security bug fixes are used for n-day exploitation. But we don\'t know which bugs are exploited in practice, and which aren\'t, so we treat all critical and high severity bugs as if they will be exploited. A lot of work goes into making sure these bugs get triaged and fixed as soon as possible. Rather than having fixes sitting and waiting to be included in the next bi-weekly update, weekly updates will allow us to get important security bug fixes to you sooner, and better protect you and your most sensitive data. Reducing Unplanned Updates As always, we treat any Chrome bug with a known in-the-wild exploit as a security incident of the highest priority and set about fixing the bug and getting a fix out to users as soon as possible. This has meant shipping the fix in an unscheduled update, so that you are protected imm |
| Envoyé | Oui |
| Condensat | 116 2020 about accessible across actors address advance advantage affected after against all allow allows already always amy any anyone applicable applied apply are aren around attackers available average averaged await backported backporting bad based been before began being believe benefits beta better between biweekly branches browser browsers browsing bug bugs but cadence can canary change changes changing channel channels choose chrome chromium code comes compatibility concerned continuing control cost: could critical currently data day days decrease dedicated delay described desktop develop device difficult discoverable discovering does don each early else evaluate even every expect experimentation exploit exploitation exploited exploits explore exploring fast faster fix fixed fixes fixing four frequency frequently from fully further gap gaps gap” get getting give goes greatly has have haven having help here high highest how immediately impact impacting important improved incident included incognito individuals informing interrupt issue keep know known landed letting lives lookout lost lot made major making many may mean meant milestone milestones minimize mobile mode more most moving much new next nor not notifications now number once one only open openness opens other out patch patched performance please possible possibly posted potential powers practice priority problems project protect protected public publicly rather reaching really receive received reduce reduced reducing referred refresh” relaunching release released releases releasing remove repository ressler rest restart restarting result review rolled saved schedule security see selecting sensitive set severity ship shipped shipping ships should simply since sitting small sometimes soon sooner source stability stable starting submit sure switch tabs take team test testing than that them then these those time treat triaged two unexpected unplanned unscheduled update updates updating use used users using varying verify victims view visibility waiting want warning way ways week weekly weeks what when which who why wild will window windows work working worry yet your “patch “stable |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.