Google Project Zero has called 2021 a “record year for 0 days in nature,” as 58 security vulnerabilities were detected and disclosed during the year.
The development marks more than double the previous maximum when 28 zero-day exploits were tracked in 2015. In contrast, only 25 zero-day exploits were detected in 2020.
“The sharp increase in 0-days in the wild in 2021 is due to increased detection and disclosure of these 0-days, rather than just increased use of 0-day exploits,” a security researcher said. of Google Project Zero. Pierre Maddie mentioned.
“Attackers succeed by using the same bug patterns and exploitation techniques and attacking the same attack surfaces,” Stone added.
The tech giant’s internal security team characterized the exploits as similar to previous and publicly known vulnerabilities, with only two of them significantly different for technical sophistication and the use of logic bugs to escape the sandbox. .
The sandbox escape is “notable for only using logic bugs”, Google Project Zero researchers Ian Beer and Samuel Groß Explain last month. “The most striking point is the depth of the attacking surface accessible from what would hopefully be a fairly restricted sandbox.”
A breakdown of these exploits by platform shows that most 0-days in the wild came from Chromium (14), followed by Windows (10), Android (7), WebKit/Safari (7), Microsoft Exchange Server ( 5), iOS/macOS (5) and Internet Explorer (4).
Of the 58 0 days in the wild observed in 2021, 39 were memory corruption vulnerabilities, bugs resulting from use-after-free (17), out-of-bounds read and write (6), buffer overflow (4) and integer overflow (4).
It’s also worth noting that 13 of Chromium’s 14 Day 0s were memory corruption vulnerabilities, most of which, in turn, were use-after-free vulnerabilities.
Additionally, Google Project Zero pointed to the lack of public examples highlighting the wild exploitation of 0-day flaws in messaging services such as WhatsApp, Signal, and Telegram, as well as other components. including processor cores, Wi-Fi chips, and the cloud.
“That leads to the question of whether these 0-days are missing due to lack of detection, lack of disclosure, or both?” Stone said, adding, “As an industry, we let’s not make 0-day difficult.”
“0-day will be more difficult when, overall, attackers are not able to use public methods and techniques to develop their 0-day exploits”, forcing them “to start from scratch each time we detect one of their exploits”.