Half of actively exploited zero-day issues in H1 2022 are variants of previous flaws

Google Project Zero states that in H1 2022 at least half of zero-day issues exploited in attacks were related to not properly fixed old flaws.

Google Project Zero researcher Maddie Stone published a blog post that resumes her speech at the FIRST conference in June 2022, the presentation is titled “0-day In-the-Wild Exploitation in 2022…so far“.

Stone revealed that nine out of 18 zero-day flaws detected and disclosed as exploited in-the-wild in 2022 are variants of previously patched vulnerabilities

“As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests.” wrote Stone. “On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.”

This means that in many cases the attacks were not so sophisticated, instead threat actors that exploited the issue were able to come back and trigger the known vulnerability through a different path.

For example, the recently discovered Follina Windows vulnerability, tracked as CVE-2022-30190, is a variant of the CVE-2021-40444 MSHTML zero-day.

The following table includes the list of the zero-day and the associated variants:

Product	2022 ITW 0-day	Variant
Windows win32k	CVE-2022-21882	CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBuffer	CVE-2022-22587	CVE-2021-30983 (2021 itw)
Windows	CVE-2022-30190 (“Follina”)	CVE-2021-40444 (2021 itw)
Chromium property access interceptors	CVE-2022-1096	CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix)
Chromium v8	CVE-2022-1364	CVE-2021-21195
WebKit	CVE-2022-22620 (“Zombie”)	Bug was originally fixed in 2013, patch was regressed in 2016
Google Pixel	CVE-2021-39793** While this CVE says 2021, the bug was patched and disclosed in 2022	Linux same bug in a different subsystem
Atlassian Confluence	CVE-2022-26134	CVE-2021-26084
Windows	CVE-2022-26925 (“PetitPotam”)	CVE-2021-36942 (Patch regressed)

“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.” continues Stone. “To do that effectively, we need correct and comprehensive fixes.”

To properly address zero-day vulnerabilities Google researchers recommend platform security teams and other independent security researchers to invest in root cause analysis, variant analysis, patch analysis, and exploit technique analysis.

“Transparently sharing these analyses helps the industry as a whole as well. We publish our analyses at this repository. We encourage vendors and others to publish theirs as well.” concludes Stone. “This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]