catskull.net

Is your browser up to date?

Check it right now. Is it up to date?

One of my personal interests is monitoring people’s browser update status. We have regular company calls where people will share their screen and all of the major browsers make it extremely obvious if the browser needs to be updated. Chrome especially makes it entertaining to monitor just how outdated it is. I wish I had a screenshot but I don’t. In the top right corner there will be a little badge that will be green/yellow/red depending on how outdated it is.

I’ve also casually asked friends and coworkers if their browser is updated and virtually none of them had an updated browser at the time of asking. This is across not only Chrome users, but Firefox, Brave, and whatever other hipster Chromium upstarts people like to use as well.

Interestingly, Sam initially claimed his Safari was out of date, but then realized it was updated somehow without him even knowing how or why. It seems that Safari is unique in that Apple ships Safari updates as OS updates and with the default update behavior, macOS automatically updates reliably. At least anecdotally.

I can’t say I know for sure why seemingly every running instance of Chrome is perpetually outdated, but I have a few hunches.

First, Google ships Chrome updates very frequently. As in, like, every other day. Google maintains a blog detailing the updates for various versions of Chrome. It looks like they shipped an update today- July 16, 2026. Included in it are three critical CVE patches and four high patches. The previous update was literally two days ago on July 14. It included two criticals and twelve highs. For what it’s worth, Firefox publishes security advisories and the most recent critical vulnerability was patched on July 14 as well. The page is a bit hard for me to parse, but it appears the last critical patch was back in May of this year. That isn’t to say that Firefox is inherently more secure than Chrome, just that for whatever reason Firefox ships fewer critical fixes. Reasons might include Firefox actually being more secure, fewer people looking for vulnerabilities, or Firefox fixing fewer of the vulnerabilities that are reported to them. I don’t actually have any knowledge or insight into those specifics, I just want to make it clear I’m not calling out Chrome or Firefox here specifically. It should be assumed that major vulnerabilities exist in all software at any point.

Second, Chrome does not automatically update. It automatically downloads the updates, but the user is required to manually exit and relaunch Chrome. The UI makes this fairly simple to do, but it seems that for whatever reason, users simply don’t do this. People keep a few tabs open at all times for whatever web apps they need for their work and don’t want to close them ever. Fear of losing data? I don’t know. It feels a bit ironic to me that in the day of everything being a cloud service, users are afraid of losing their data. We’re so far gone past the Windows 95/98 days of yore where a full system reboot was required at least once a day, if not more frequently. I think if Chrome actually relaunched itself automatically the amount of up to date Chrome instances would go to 100% overnight. I’m not sure why it doesn’t do this, perhaps there is some operating system technical constraint, perhaps Google simply doesn’t want to interfere with people’s lives. And it’s not like Firefox (or other Chromium based browsers) do this any better. Is it just the industry standard way of updating a browser?

Third, Chrome seems about equally likely to ship a 4GB AI model as it is to fix critical vulnerabilities. Because Google is an advertising company, their primary motivation will always be profit at whatever cost they can get away with. I’m not sure what the average Chrome user’s sentiment is towards Google, but considering they’re willing to manually install Chrome on their operating system, they must have some level of trust in Google software. Still, I wonder if this is part of the hesitation. They’re not sure what random changes might have shipped in Chrome and they don’t want to disrupt their workflow. That’s a fair standpoint, in my opinion. I think it also applies to the other browsers as well, not just Chrome.

There are no silver bullets, especially in technology. Everything has tradeoffs. On one hand, I believe that the modern web browser is the most sophisticated and complex software that has ever existed. It’s quite literally miraculous. On the other hand, this means the potential pool of exploitable users is larger than it’s ever been. There’s more incentive for bad actors than there ever has been, period. It’s a tragedy of the commons.

However, I will call out Chrome specifically here. Interestingly, Wikimedia publishes their own browser usage share stat. Cloudflare also reports this metric. The Wikipedia page on “Usage share of web browsers” shows that Wikimedia reports 53.9% of their traffic in the month of July 2026 coming from Chrome. Cloudflare reports 68% for the same period. The next closest is Safari at 25.1%/19% from Wikimedia and Cloudflare respectively. Should this mean that Google shares twice the responsibility for keeping their users safe as Apple does?

The modern day Common Vulnerabilities and Exposures (CVE) system is a double edged sword. In the ideal process, vulnerabilities are discovered, reported, fixed, then disclosed to the public. Sometimes if the organization responsible for the patch doesn’t respond, the vulnerability will be disclosed before a patch is released, but in the case of the major browser companies, thankfully that rarely happens. The issue is not that vulnerabilities are not patched. The issue is that once the vulnerability is fixed, it is disclosed. At that point it’s no longer a “0-day” (unpatched) vulnerability and instead becomes a “1-day” or “N-day” vulnerability. These patched vulnerabilities continue to be actively exploited because not everyone updates their software! In fact, it brings the vulnerability from elite hacking group status to more pedestrian levels of effort because the problem and the fix are well documented. The best example of this I have is myself.

Last year, I wanted to port mainline OpenWRT to the Cudy R700. The software shipped by Cudy is a fork/skin on top of OpenWRT. However, it’s locked down and updates have to be signed by Cudy so a port was not possible without Cudy’s blessing. I eventually got them to sign a mainline OpenWRT image that removed the update signature check, but in the meantime I attempted to simply exploit the software. Among other things, I researched patched OpenWRT CVEs that were newer than Cudy’s firmware to see if I could use one of them to exploit the router and gain root access to install mainline OpenWRT without Cudy’s blessing. I was unsuccessful in that endeavor, but to me it highlights the issue. Bottom-feeder hackers like myself can easily research patched CVEs to target unpatched devices. While a consumer router is a fairly small attack vector, extrapolate that process to the millions of browser users! Combined with the ubiquity of NPM packages and the tendency for them to be exploited, the attack surface is possibly the largest it’s ever been. I am not malicious, but there are many who are!

I don’t have the solution here. But I’m also not a company with a market capitalization in the trillions. It does seem to me that Apple’s update strategy is more effective at getting critical security updates out to more users in a seamless way. Can Google really not figure out a way to automatically update the browser without requiring user intervention? Surely there must be a solution. If I was going to recommend something to a non-technical user such as my Mom, I’d probably just tell them to use Safari on some Apple hardware that was still getting software updates. But that’s also not a perfect solution and has a lot of its own issues.

Is your browser up to date? What browser do you use? If it’s not updated, why? I’m genuinely curious!