Emergency Software Patches Are on the Rise

Emergency software patches, in which users are pushed to immediately update phones and computers because hackers have figured out some novel way to break in, are becoming more common. From a report: Researchers raised the alarm Monday about a big one: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple’s emergency software update. Such emergency vulnerabilities are called “zero days” — a reference to the fact that they’re such an urgent vulnerability in a program that software engineers have zero days to write a patch for it. Against a hacker with the right zero day, there is nothing consumers can do other than wait for software updates or ditch devices altogether.

Once considered highly valuable cyberweapons held mostly by elite government hackers, publicly disclosed zero-day exploits are on a sharp rise. Project Zero, a Google team devoted to identifying and cataloging zero days, has tallied 44 this year alone where hackers had likely discovered them before researchers did. That’s already a sharp rise from last year, which saw 25. The number has increased every year since 2018. Katie Moussouris, founder and CEO of Luta Security, a company that connects cybersecurity researchers and companies with vulnerabilities, said that the rise in zero days is thanks to the ad hoc way that software is usually programmed, which often treats security as an afterthought. “It was absolutely inevitable,” she said. “We’ve never addressed the root cause of all of these vulnerabilities, which is not building security in from the ground up.” But almost paradoxically, the rise in zero days reflects an online world in which certain individuals are more vulnerable, but most are actually safer from hackers.