Developers of internet-facing applications are constantly working to find and fix security issues with those applications. Browser writers are no exception; in fact, they may be the most active. Sometimes they find vulnerabilities on their own or by using code analysis tools. There are many lists on the ‘net of such tools and https://phoenixnap.com/blog/vulnerability-assessment-scanning-tools is one example (as usual, neither Learning Tree International nor I endorse the site or the company or its products – I am only linking there because it has information in which readers of this blog may be interested).
The developers also address vulnerabilities from publicly disclosed vulnerabilities in the CVE (Common Vulnerabilities and Exposures) database. The database is used by the global cyber security industry to document security issues. The database includes information about the severity, impact, and the difficulty of exploiting the vulnerability, among other things. The database begins in January 1999. As of this writing, there are 148668 records in the database. The entries in the database and the scoring method are discussed in Learning Tree Course 4521 Introduction to Cyber Security – a Starter Guide. The US Cybersecurity and Infrastructure Security Agency provides a weekly email listing newly listed and updated CVE reports. You can subscribe through a link on that page.
Whether discovered through the CVE or code analysis tools, developers need to verify and fix the issue and then verify the fix and that it does not induce other issues. The process sounds deceptively simple, but those steps are often significantly time-consuming to do well. (That is why fixes aren’t released as fast as some people may wish.) As one who has addressed security issues myself, I can confirm the complexity of the process.
Another issue is the release process. Software vendors know that end-users often resist installing new versions of software. An enterprise will need to test the interaction between the new version and other products, whether internally developed or from external sources. Even individual users may experience issues. This leads to a reluctance to fixes as soon as they are created, unless the new version fixes an urgent security issue. This is why we see some companies releasing new versions of a particular day of the week or month (e.g. “patch Tuesday”).
Open source software and web browsers in general are an exception. Fixes are often released when major issues are fixed. In Learning Tree Course 468 System and Network Security Introduction, we advocate deploying security fixes as soon as they are released (after proper testing, of course).
Creators of all three major browsers have announced security releases recently. Some of those updates fix serious vulnerabilities and you should update your browsers immediately. I know browser updates can change behavior and add or remove features and that can be annoying. But in these cases, the safety is likely to be worth the pain. For the record, I did not notice any impact on my user experience after updating Chrome.
While you’re at it, you might want to check other software for updates, too.