Google: Half of Zero-Day Exploits Linked to Bad Software Solutions


Image: Shutterstock/Gorodenkoff

Half of the 18 zero-day bugs exploited before a patch was released to the public this year could have been prevented if only major software vendors had more thoroughly patched and tested.

That’s the verdict of researchers at Google Project Zero (GPZ), which has so far counted 18 zero-day bugs in 2022 affecting Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Atlassian’s Confluence server.

GPZ only collects data about zero-day (0-day) bugs — or bugs exploited by attackers before a patch is available — in major software products, so the figure does not include all software 0 days

TO SEE: Don’t let your cloud cybersecurity choices open the door to hackers

Also, according to GPZ, there have only been four truly unique 0 days this year, and that’s because attackers can tweak exploits to bypass superficial patches.

“At least half of the 0 days we saw in the first six months of 2022 could have been prevented with more extensive patch and regression testing. In addition, four of the 2022 2021 0-day variants are in-the-wild 0 -days. Just 12 months after the original in-the-wild 0-day was patched, attackers came back with a variant of the original bug,” GPZ member Maddie Stone writes in a blog post

She adds that at least half of the 0 days are “closely related to bugs we’ve seen before.”

That lack of originality supports a trend Stone and others at Google have recently highlighted to rearrange discussions on 0 days.

More 0 days were found in 2021 than in the past five years that GPZ has counted them† Several factors may play a role. First, researchers could better detect that they are being exploited in the wild than before† On the other hand, codebases for browsers have become as complex as operating systems. Also, browsers have become a top target, thanks to the demise of browser plugins like Flash Player.

But as detection, disclosure, and patching improve across the industry, Stone has previously argued that the industry does “don’t make a 0 day difficult”† She wants the industry to wipe out entire classes of security flaws.

For example, 67% of the 58 in-the-wild 0 days in 2021 were memory corruption vulnerabilities.

The Chrome security team is working on memory bug fixes derived from the browser’s huge code base written in C++but mitigations come at a performance cost† Chrome can’t practically just be rewritten in Rust, which offers better memory security guarantees than C and C++.

TO SEE: These hackers are spreading ransomware as a distraction – to hide their cyberespionage

Stone also points out that Microsoft’s Windows team and Google’s Chrome team have provided patches that are nothing more than adhesive patches.

“Many of the 2022 in-the-wild 0 days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that creates the proof -of-concept exploits Tasks were patched, but the root cause problem was not addressed: attackers could come back and activate the original vulnerability through a different path,” she says.

“And in the case of the WebKit and Windows PetitPotam Problemsthe original vulnerability was patched before, but at some point reverted so attackers could exploit the same vulnerability again

These are the 0 days that GPZ has kept until June 15th this year.

Leave a Comment

Your email address will not be published. Required fields are marked *