Last year, the tech industry detected and reported 58 zero-day exploits, the most ever recorded in a single year, according to Google.
The number represents a dramatic increase from the 25 zero-day exploits the industry spotted in 2020, but it doesn’t necessarily mean our software is becoming more insecure. Instead, Google says, “We believe the big increase in 0 days in the wild in 2021 is due to increased detection and disclosure of those 0 days, rather than simply increasing use of 0-day exploits.”
The company announced the findings in a blog post on Tuesday. Since 2014, the search giant has been tracking zero-day exploits, or computer hacks that take advantage of a previously unknown vulnerability that is unpatched. The purpose behind tracking is to analyze trends and assess whether the industry is doing enough to stop the problem.
While the number of zero days skyrocketed in 2021, so did the number of organizations reporting the threats, which reached 20, or double the previous year. “Anecdotally, we’ve heard from more people who have started working harder on detecting day 0 exploits,” added Google. “It stands to reason that if the number of people working on trying to find day 0 exploits increases, the number of day 0 exploits detected could increase.”
The other factor is how correctly the Android team at Google and Apple are noting when a disclosed vulnerability is a zero-day exploit, rather than leaving it uncertain. As a result, another 12 zero-day exploits were added to the 2021 list.
Increased transparency is good for IT security. But a persistent problem is how many of the zero-day exploits detected in 2021 are variations of existing, publicly known hacking techniques.
“When we look at these 58 days 0 used in 2021, what we see is 0 days similar to previous, publicly known vulnerabilities,” the company said, adding, “We hope this is successful, attackers would have to find new classes of bugs and vulnerabilities on new attack surfaces using never-before-seen methods of exploitation. In general, that’s not what the data showed us this year.”
Instead, the hackers behind the zero-day attacks likely had an easier time developing their exploits. Google added that the majority of zero-day attacks – 67% – leveraged memory corruption vulnerabilities, which often result from programming errors in computer code.
Only two vulnerabilities that stood out to the company involved last September’s zero-day ForcedEntry exploit, which targeted iOS and Mac devices and likely came from an Israeli spyware company called NSO Group. The ForcedEntry exploit was so powerful that it was able to take control of an iPhone simply by sending a message to the victim, with no user interaction required. Google described this zero-click attack as a “stunning work of art” for its technical sophistication and its use of logical flaws rather than memory corruption bugs.
Recommended by our editors
The company’s report goes on to document the vulnerabilities detected in products such as Microsoft Windows, Internet Explorer, Chrome and Android. However, Google noted that its tracking of publicly known zero-day attacks is far from complete.
For example, some platforms – like WhatsApp, Signal, Telegram – did not report zero-day vulnerabilities in 2021, even though all three messaging apps are prime targets for hackers. “This leads to the question of whether these 0 days are absent due to lack of detection, lack of disclosure, or both?” said the company.
The other problem is how the tech industry often focuses on disclosing vulnerabilities but often says little about the various methods hackers used to deliver the attacks. “This means that attackers can continue using their existing methods of exploitation, rather than having to go back to the design and development phase to create a new method of exploitation,” the company said.
In response, Google is asking the tech industry to share “exploit samples or detailed technical descriptions of exploits… more widely by disclosing zero-day vulnerabilities.” In addition, the company is asking vendors to do more to crack down on memory corruption bugs or make them unexploitable.
Did you like what you’re reading?
sign up for SecurityWatch newsletter for our top privacy and security stories delivered straight to your inbox.