Bookmark this page as https://g.co/chrome/security-update-faq
Almost all Chrome updates contain security fixes, and should be prioritized equally. The most secure option is to automatically update Chrome as soon as any update is available, independent of the specific details of any security fixes included in the update.
Almost all updates have security fixes. Every week, Chrome releases a new version that materially improves security. The Chrome Security team believes the best option for security is to apply all updates to Chrome as soon as they are available. We recommend against and do not support using the security release notes as a method to prioritize updates. Instead, all updates should be prioritized equally, and considered to be important security fixes.
Patching, remediating, and protecting against security vulnerabilities is a core part of the Chrome engineering process. The Chrome Security team works to protect Chrome users and make it safe to click on links by building features and architecting systems to defend against exploitation, network tampering, malware and phishing. Every release of Chrome includes not just security patches, but new security features and other defensive improvements developed by the Chrome Security team.
Chrome releases stable milestones every four weeks (MXXX), with “refresh” releases in-between milestones. Milestones are refreshed with updates that can contain security fixes and functional bug fixes for high-impact bugs. There are planned security refreshes weekly for every milestone, with all of the security fixes since the previous release. Chrome may have unscheduled updates between milestones to fix critical security issues, address breaking functional bugs, or patch known in-the-wild exploits. Updates and rapid response are part of the Chrome security development lifecycle, and Chrome invests in its ability to quickly refresh a release when needed. While we do try to reduce the number of unplanned updates, these releases are an important part of how Chrome works to secure its users, and are an example of Chrome’s vulnerability reporting and security engineering processes working as intended.
Are security fixes included in every new milestone release? Yes.
How do I avoid compatibility issues with web platform changes if I automatically update Chrome? Breaking changes to the web platform are communicated in the enterprise release notes. For changes that may cause compatibility issues, Chrome includes a temporary enterprise policy to maintain the old behavior for several milestones beyond the change, which gives enterprises time to address compatibility issues. To proactively identify these issues, we recommend enterprises test their critical workflows, or have a cohort of users running the Beta version of Chrome.
You can read more details and best practices on the Chrome Update Management Strategies technical doc. Enterprises can also reach out to their support representatives for help, or file an issue if they identify a bug in a new version of Chrome.
How do I prioritize updates that patch vulnerabilities known to be under exploitation in the wild (zero-days)? Don't---this strategy puts you at risk. Security fixes are important regardless of whether or not there is known exploitation. There are two main reasons for this:
First, we know that we do not have full visibility into every exploit in the wild. Chrome has an industry-leading multi-layered approach to finding possible exploits, including code reviews, testing and fuzzing, working with researchers and external organizations, and a vulnerability rewards program. However, it's impossible to guarantee that a fixed vulnerability was never exploited in the wild, so you should always roll out the fix.
Second, vulnerabilities may be exploited after our fix is rolled out. Exploiting patched vulnerabilities in unpatched installations is known as N-day exploitation, and it gets easier and cheaper for attackers after we’ve made a fix available in a new version. If you don‘t update, you’re putting your organization at risk of N-day exploits, which are much more accessible to bad actors than 0-day exploits.
Remember, a bug is only regarded as a security bug if we consider it exploitable, so we recommend Chrome users treat all security fixes with equal priority and always patch their installation. The best defense against attackers exploiting patched vulnerabilities in Chrome is to automatically update Chrome whenever an update is available.
I've noticed that Chrome has a lot of security updates. Does that mean something is wrong? No. Fast and frequent updates are one of Chrome‘s security strengths. We’ve spent years building advanced release infrastructure in order to increase the number of security updates you receive, and the frequency that we can send them out. This keeps you a step ahead of bad actors.
Updating every week (or more) is a lot of work. How can my IT department keep up? Chrome is designed to be easy for IT admins to manage and update. If you‘re finding that it’s a lot of work to keep up with Chrome‘s update schedule, there’s a good chance that there's an easier way to accomplish your goals. Enterprises that disable auto-updates and instead roll out manual updates are both decreasing their security and greatly increasing the amount of work they have to do.
Read through different update strategies and best practices on the Chrome Update Management Strategies technical doc.
Is it possible that a Chrome update could address a functional bug, and no security bugs? Yes, there are releases containing only functional fixes. When this occurs, there are no security fix notes for the corresponding desktop stable release.
How do I know what security fixes are included in a specific Android Chrome release? Android releases contain the same security fixes as their corresponding desktop release (first three segments of the version number are the same), unless otherwise noted.
How do I know what security fixes are included in a specific Chrome on iOS release? Due to Apple platform limitations, the browsing engine for Chrome on iOS is Webkit, which is also used by Safari. Apple maintains Webkit and tracks security issues as part of their iOS release process. To receive WebKit security fixes, users should always update iOS to the latest version. Whenever possible, Chrome will ship patches on iOS to mitigate issues in Webkit. In the event of a Chrome on iOS specific security flaw, Chrome will note the fix in the release notes for the corresponding desktop release.
My product includes one of Chrome's components (such as V8 or WebRTC). How can I absorb security fixes? As with Chrome itself, you should assume that all security fixes are important and arrange to include them in your product. We recommend tracking Chrome‘s “stable” branch - more recent branches may have a higher density of ephemeral security bugs which we will fix before shipping to stable. For some of Chrome’s components (such as WebRTC) security bugs are relatively infrequent and it may be possible to manually absorb new versions as necessary by monitoring Chrome release notes. For others (such as V8) security bugs are so frequent that the better strategy is to absorb a new version of the component every week. For these components, Chrome does not support making update decisions based upon the exact security content of the release - instead, just take a new version each week.
