Bad patching practices are a breeding ground for zero-day exploits, Google warns

Written by

Customers of major software vendors take comfort whenever a vendor issues a security fix for a critical software vulnerability. The clients expect that software update to keep attackers from stealing sensitive information.

But new data from Google’s elite hacking team, Project Zero, suggests that assumption is misplaced. One in four “zero-day,” or previously unknown, software exploits that the Google team tracked in 2020 might have been avoided “if a more thorough investigation and patching effort were explored,” Project Zero researcher Maddie Stone said Wednesday.

In some cases, the attackers only changed a line or two of code to turn their old exploit into a new one. Many of the zero-day exploits were for popular internet browsers like Chrome, Firefox or Safari, exposing an array of users around the world.

Project Zero’s sample size is modest, covering just 24 exploits in all. But the data points to a need for greater scrutiny — from third-party researchers, technology users and journalists — of vendors’ commitment to fixing software flaws.

“Across the industry, incomplete patches — patches that don’t correctly and comprehensively fix the root cause of a vulnerability — allow attackers to use 0-days against users with less effort,” Stone wrote in a blog post.  

Some vendors only blocked a “proof of concept” exploit developed by researchers rather than addressing the vulnerability itself, Stone said. For their part, researchers sometimes don’t follow up on whether a software patch gets the job done, she added.

The sloppy patching has real-world consequences. More than two years ago, unidentified hackers began exploiting a vulnerability in Internet Explorer that could allow them to take full control of a user’s browser. The same attackers — whom Google said were targeting people in North Korea or who work on North Korean issues  — ended up exploiting three similar Internet Explorer bugs in the exact same manner in 2019 and 2020.

“Fixing these vulnerabilities comprehensively the first time would have caused attackers to work harder or find new 0-days,” Stone said.

While a simple concept, consistently issuing effective software patches can require vendors to invest significant resources and planning in doing so. The hope is that vendors realize that the cost of negligence — in the form of disaffected and victimized customers —  outweighs the cost of fixing the bug.