Google Cuts Chrome ‘Patch Gap’ in Half, From 33 Days To 15

Google security engineers said last week they have successfully cut down the “patch gap” in Google Chrome from 33 days to only 15 days. From a report: The term “patch gap” refers to the time it takes from when a security bug is fixed in an open source library to when the same fix lands in software that uses that particular library. In today’s software landscape where many apps rely on open source components, the “patch gap” is considered a major security risk. The reason is because when a security bug is fixed in an open source library, details about that bug become public, primarily due to the public nature and openness of most open source projects. Hackers can then use details about these security flaws to craft exploits and launch attacks against software that relies on the vulnerable component, before the software maker has a chance to release a patch. If the software maker is on a fixed release schedule, with updates coming out every few weeks or months, the patch gap can provide hackers with an attack window that most software projects can’t deal with.