What it means for Chrome to have ‘in-the-wild’ exploits and how Google fixes them

Browser security is a big issue these days. With so many of us relying on our internet-connected devices for work, play, communication, and everything in between, bad actors are very interested in gaining access to our private data strewn throughout the web. Browsers, in particular, are an excellent attack vendor, since they make it easy to break into users’ accounts and companies’ protected environments.

You may have noticed that Google is reporting more and more so-called “in-the-wild” exploits over recent years that are actively being used by hackers to attack Chrome and any other browser based on Google’s Chromium rendering engine, like Edge, Vivaldi, and Brave.

Today, Google has shared why this is happening and what it is doing against these threats.

What is an in-the-wild exploit?

An “in-the-wild” exploit is a vulnerability in a browser that hackers are actively using to try and gain access to someone’s computer, allowing them to snoop on their targets and to change settings and options without their knowledge. In-the-wild exploits are particularly dangerous because they’re actively being used by bad actors, and Google and other security companies are constantly scrambling to close loopholes and harden their programs in order to prevent these attacks from continuing or happening in the first place.

Why are there so many in-the-wild exploits in Chrome at the moment?

Google has reported an influx of Chrome exploits in recent years, and there are a multitude of reasons as to why this is happening.

For one, vendors are becoming increasingly more transparent about security vulnerabilities. Where browser makers wouldn’t disclose an issue in the past and just silently fix it on their end, these companies have now become much more communicative and cooperative, trying to fix issues across competing platforms and working together to make the internet a more secure place. That’s also why Google simply knows about more exploits, where in the past, it is possible that it just didn’t get the information on some of them in the first place.

For another, Google Chrome and its Chromium engine are increasingly winning market share, and thus, they are a more valuable target for hackers. After all, hackers have the chance of attacking more people with a single vulnerability that way. Given that the Chromium engine is now powering the majority of all browsers out there, this is what is happening here – quite similar to how Adobe Flash used to be the service to attack given its ubiquity in the past.

There are also more exploits simply because Google’s security efforts are paying off. Adrian Taylor from Chrome Security team says that “some attacks that could previously be accomplished with a single bug now require multiple bugs,” and that just naturally leads to more exploits in total. Google achieved this by introducing isolated processes for all of your tabs, complete with their own, self-contained rendering processes, forcing attackers to break out of these environments before they can go rogue.

Taylor also says that since browsers are getting increasingly more complex and ever more similar to operating systems, there are simply more bugs introduced that can be exploited in the first place.

What is Google doing to combat and prevent Chrome exploits?

Google and its developers are determined to fix security loopholes ever so faster. While it used to take the company up to 35 days to fix issues back in Chrome 76, this number is now down to about 18 days on average for more recent releases. With Chrome’s faster release cycle, going from six to four weeks, this metric should only improve.

Google has a multitude of technical measures in place to prevent exploits in the first place, too. As mentioned above, the company is hard at work improving site isolation, which prevents rogue actors from breaking out of their dedicated browser tab or sandbox. This measure is mostly finished on desktop operating systems, but it’s still an ongoing effort on Android, in particular.

Google is additionally working on a sandbox that prevents JavaScript just-in-time compilation bugs from becoming an attack vector, which is another web technology often used to hijack browsers. There are also so-called “memory safety” bugs that are introduced due to compiling errors while running Chrome, and Google is improving the situation by introducing additional checks while the browser is running. The company is additionally looking into switching to a safe programming language like Rust. This Mozilla-created language is memory safe from the ground up.

The problem with all of these measures is that they all come with performance degradations. The more of these checks you introduce to a huge, all-encompassing application like Chrome, the bigger CPU and memory usage get. This has been a problem for Chrome for a long time, with it being notorious for being a resource and battery hog. As such, Google has to carefully examine each of its steps, weighing performance gains against security improvements.

Google's security sheriff Adrian Taylor says that Google is “well past the stage of having ‘easy wins’ when it comes to raising the bar for security,” and it shows. The company is working hard on balancing performance and security, all while building new features and offering support for new web app functions. Still, thanks to its determination to fix bugs as soon as they’re disclosed and shipping updates as fast as possible, the company is doing its part.

Let’s just hope international intelligence services don’t keep too many of these vulnerabilities under wrap, never to be seen by the public.