author photo
By Bruce Sussman
Tue | May 26, 2020 | 5:30 AM PDT

Last week, Google's Chrome browser security team revealed analytics about Chrome's most recent 912 "high" or "severe" cybersecurity bugs.

And in the process, the team made three statements about the cat and mouse game being played out between cyber attackers and defenders.

Google Chrome team speaks about cyber attackers

Under the headline "Staying Still is Not an Option," the Chrome team shared its perspective on the fight against cyber bad actors and what cyber defenders must do.

"We believe that:

  1. Attackers innovate, so defenders need to innovate just to keep pace.

  2. We can no longer derive sufficient innovation from more processes or stronger sandboxes (though such things continue to be necessary).

  3. Therefore the cheapest way to maintain the advantage is to squash bugs at source instead of trying to contain them later."

Most Chrome bugs are memory safety problems

Now, let's back up a step to the reason Google is making these statements.

The Chrome team looked at the "high" and "severe" browser security vulnerabilities dating back to 2015 and found that more 70% of them are memory safety problems, as follows:

google-chrome-security-bugs

"As well as risking our users' security, these bugs have real costs in how we fix and ship Chrome," Google team members wrote.

In the Chromium blog post, the team reveals why it believes sandboxing is helpful but of limited use, and where the team will go from here.

"Our next major project is to prevent such bugs at source." 

Read the Google Chrome security post for details on how Google plans to tackle this.

Comments