Google’s bug hunters say they spotted 58 zero-day vulnerabilities being exploited in the wild last year, which is the most-ever recorded since its Project Zero team started analyzing these in mid-2014.
This is more than double the earlier record of 28 zero-day exploits detected in 2015. And miscreants are still using the same old techniques to get away with their mischief.
“With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn’t actually had to change much from previous years,” wrote Google security researcher Maddie Stone in Project Zero’s third annual review of exploited programming blunders.
“Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” Stone noted.
A little depressing for network and system defenders, perhaps, however Stone puts a glass-half-full spin on the numbers: “We believe the large uptick in in-the-wild zero-days in 2021 is due to increased detection and disclosure of these zero-days, rather than simply increased usage of exploits.”
More entities are reporting in-the-wild zero-day exploitation, she wrote, adding that this is a “very rough measure.” Along these same lines, more vendors are noticing exploited-in-the-wild zero-day flaws in their own products. Google, as an example, discovered seven of these in its own products last year and Microsoft discovered 10, Stone wrote.
However, this massive spike in zero-days also means that Project Zero, along with infosec vendors and the larger tech industry as a whole, aren’t doing enough to, as Project Zero says in its mission, “make zero-days hard.”
58 meh bugs, only 2 wow
Of these 58 security flaws abused last year, 56 of them are similar to previously known vulnerabilities. Thirty-nine, or 67 percent, were memory corruption vulnerabilities, and most of these fall into the following familiar bug classes:
- 17 use-after-free()
- 6 out-of-bounds read & write
- 4 buffer overflow
- 4 integer overflow
Two of last year’s zero-days stood out. One of these (CVE-2021-30860) was the zero-click vulnerability in iMessage. NSO’s Pegasus spyware suite exploited this security hole to infect a victim’s phone, extract data, and carry out other espionage.
This exploit, which made the Project Zero team “go wow,” was “an impressive work of art,” Stone wrote.
The second novel attack was a sandbox escape. It occurred in iOS, and Project Zero deemed it “impressive” because this exploit only used logic bugs, rather than memory corruption bugs, to escape a sandbox.
Still, the fact that almost all of these exploits used common methods means cybercriminals aren’t working harder to abuse zero-days. And that’s largely because organizations aren’t making it any harder for miscreants to find and exploit these vulns.
In the annual review, Stone highlighted 52 of the zero-day exploited vulns that Googlers tracked. All of the zero-days from mid-2014 until 2021 are listed in this spreadsheet.
Of the 52, Chromium/Chrome (14) had the most, followed by Windows (10), Safari (7), Android (7), Microsoft Exchange Server (5), Internet Explorer (4) and macOS/iOS (5).
Chrome sets zero-day record
Chromium, which is at the heart of Google’s Chrome, had a record high number of zero-days in 2021.
This is a big deal because almost three billion people use Chrome browser as well as other Chromium-based browsers including Microsoft Edge, Brave, and Vivaldi.
Of the 14 Chromium bugs that were detected and disclosed, 10 were remote code execution flaws in the renderer, two were sandbox escapes, one was an information leak, and one was used to open a webpage in Android apps other than Google Chrome, according to Project Zero.
Google hasn’t said much about the more recent 2022 bugs because they are still being patched by users. But the cloud goliath did say that it’s aware that two of these bugs are being exploit in the wild.
What’s not on the list
And while Project Zero tracked a record number of exploited zero-day bugs in 2021, there are “key targets” missing from this list, Stone noted.
“For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc are targets of interest to attackers and yet there’s only one messaging app, in this case iMessage, zero-day found this past year,” she wrote.
Since the bug hunter team started tracking zero-days, there’s only been two other messaging app vulnerabilities disclosed, one in WhatsApp and one other in iMessage, Stone added.
Similarly, there isn’t any meaningful in-the-wild exploitation of zero-day flaws in CPU cores, Wi-Fi chips, or cellular modems. This, Stone said, “leads to the question of whether these zero-days are absent due to lack of detection, lack of disclosure, or both?”
Additionally, unless software vendors pledge to publicly disclose all potentially exploited vulnerabilities, and follow through with this promise, the public doesn’t know if a given product has no known security holes under attack — or if the company just isn’t sharing that information.
And this leads to one of the steps that Project Zero says can help the security and larger tech industry make more progress in stopping zero-day exploitation:
There are two more step Stone advocates for in the zero-day review.
First, the Project Zero team wants to see more security researchers sharing exploit samples or detailed descriptions of their exploit techniques. Of the 58 zero-days in the report, only five have a publicly available exploit sample, Stone noted.
Without a useful technical write-up, “we can only focus on fixing the vulnerability rather than also mitigating the exploitation method,” she wrote. “This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method.”
And finally, Project Zero suggests more work needs to be done to reduce memory corruption vulns or make them unexploitable. As a reminder: memory corruption bugs were responsible for more than two-thirds of last year’s 58 zero-days exploits. ®