Google Project Zero reported 58 exploited zero-day vulnerabilities in 2021, a record in the time the team of security researchers has been watching.
In a year-in-review report on the number instances a zero-day bug has been exploited in the wild, researchers noted the number a 2x increase in detected flaws since 2020. Google mentioned 25 zero-day bugs in 2020 & 2019.
Aggressive Approach
Google stated the report highlights the importance of the security industry to take an aggressive approach at making it harder for attackers to exploit zero-day vulnerabilities.
“We heard over & over & over about how govts. were targeting journalists, minoritized populations, politicians, human rights defenders, & even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society & our fellow humans’ lives,” researchers wrote.
Commercial Firms
The report referenced recent & past work by Citizen Lab, which earlier in the week shed light on multiple zero-day bugs exploited by commercial firms NSO Group & Candiru. Those firms were tied to efforts to use zero-day bugs in a multi-year campaign targeting autonomous region of Spain – Catalonia.
Google attributes the uptick in reported zero-day bugs, not to higher volumes of bugs, rather an increase in detection & disclosure. Also, not a revelation, is attacker methodology, researchers wrote.
Bug Patterns
“Attackers are having success using the same bug patterns & exploitation techniques & going after the same attack surfaces,” wrote the author of the report Maddie Stone, security researchers with Google Project Zero.
Whilst this was Google’s 3rd-annual review of zero-days exploited in the wild, researchers outlined they have been tracking instances of zero-day bugs since mid-2014. “We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014,” Stone wrote.
The important distinction in Google’s research is between known in-the-wild bugs & exploited in-the-wild bugs.
“While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild,” she wrote.
Types of Zero-Days
Google reported of the 58 in-the-wild 0-days for the year, 39 were memory corruption vulnerabilities, 17 use-after-free, 6 out-of-bounds read/write bugs, 4 buffer overflow & the remaining 4 integer overflow.
Google also provided a list of platforms impacted, such as Chromium (Chrome) with 14 zero-days. “Chromium had a record high number of 0-days detected & disclosed in 2021 with 14.
Execution Bugs
Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, & 1 was used to open a webpage in Android apps other than Google Chrome,” Stone wrote.
7 zero-day bugs were found in the Safari WebKit component. Microsoft’s Internet Explorer had a reported 4 zero-days exploited in the wild. Microsoft’s Windows operating system had 10 zero-days & Apple had a total of 6, with 5 iOS zero-days exploited & macOS with one.
2022
Looking to 2022, Google Project Zero stated it hoped to see progress on several fronts.
It proposed:
- All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.
- Exploit samples or detailed technical descriptions of the exploits are shared more widely.
- Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable. Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.