A historical trend in the digital realm, security vulnerabilities are no strangers to significant applications such as Google’s Chrome. Reports suggest an alarming average of 38 vulnerabilities per month throughout 2022, which included nine zero-days. This increasing trend continued well into 2023, which understandably begs the question: How safe is Chrome for use?

The alarming proliferation of vulnerabilities

As we tread further into 2023, the number of vulnerability disclosures and patches continues to surge. The first quarter saw Chrome versions 109 through 112 patching an astounding total of 78 vulnerabilities, including a zero-day in April. Following this, Chrome 113 and 114 patched a total of 27 vulnerabilities in May and June, including the third zero-day of the year.

This alarming trend prompts several essential questions: Why the large number of vulnerabilities? How safe is Chrome to use in light of these risks? What can Google and users do to bolster the browser’s safety? To shed light on these questions, SecurityWeek turned to Tal Zamir, CTO at Tel Aviv-based Perception Point.

An unwelcome byproduct of statistics and code size

The surge in vulnerabilities could primarily be chalked up to statistics – a byproduct of the codebase size, the appeal of the target, and the user base. Zamir likens Chrome’s extensive codebase to an operating system due to its numerous embedded features. The increased usage and adoption naturally attract a greater number of attackers, both criminals and nation states alike.

The statistic that as of May 2023, Chrome held a staggering 62.87% of the global browser market, further illustrates the allure for potential attackers.

The inescapable reality of business decisions

Securing the codebase further might appear to be the logical step forward. However, this would require a slowdown in the introduction of new features – a move that doesn’t align with market share expansion strategies.

Zamir pointed out that Google faces fierce competition, particularly from Microsoft in integrating AI into their products, which invariably accelerates the introduction of new features, sometimes at the expense of security.

Security – a necessary second fiddle?

Google has consistently shown its commitment to securing Chrome, actively identifying and patching vulnerabilities. However, the approach is inherently reactive, often necessitating additional security measures on the users’ end.

The argument that Google could enhance Chrome’s internal security meets the harsh economic reality: adding invisible security controls doesn’t boost user appeal as new features would. Hence, security, though critical, might take a backseat.

The final takeaway

Today’s cybersecurity landscape demands user initiative for their safety. Relying solely on app vendors for security is insufficient. Google Chrome serves as an example, but the principle applies to virtually all commercial applications.

What are your thoughts, dear readers? How do you perceive the balance between user convenience, feature richness, and security? Share your insights in the comments below!