In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues

Pierluigi Paganini July 30, 2023

Google’s Threat Analysis Group Google states that more than 40% of zero-day flaws discovered in 2022 were variants of previous issues.

The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day flaws exploited in-the-wild [2021, 2020, 2019], it is built off of the mid-year 2022 review.

In 2022, the researchers disclosed 41 actively exploited zero-day flaws, which marks the second-most ever recorded since we began tracking in mid-2014. In 2021 the number of zero-days discovered by the researchers were 69 detected. 

zero-day

The number of zero-day vulnerabilities actively exploited in the wild dropped also due 0-click exploits and new browser mitigations implemented by software vendors.

“Many attackers have been moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the browser. In addition, all major browsers also implemented new defenses that make exploiting a vulnerability more difficult and could have influenced attackers moving to other attack surfaces.” reads the report published by Google TAG.

However, the researchers pointed out that the 40% drop is not only caused by improved security of software and hardware vendors.

One of the most interesting data that emerged from the report is that over 40% of the 0-days discovered were variants of previously reported vulnerabilities. Below is the list of zero-day flaws that were variants of previously reported bugs:

Product2022 ITW CVEVariant
Windows win32kCVE-2022-21882CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBufferCVE-2022-22587CVE-2021-30983 (2021 itw)
WebKit “Zombie”CVE-2022-22620Bug was originally fixed in 2013, patch was regressed in 2016
Firefox WebGPU IPCCVE-2022-26485Fuzzing crash fixed in 2021
Android in ARM Mali GPUCVE-2021-39793 CVE-2022-22706CVE-2021-28664 (2021 itw)
Sophos FirewallCVE-2022-1040CVE-2020-12271 (2020 itw)
Chromium v8CVE-2022-1096CVE-2021-30551 (2021 itw)
ChromiumCVE-2022-1364CVE-2021-21195
Windows “PetitPotam”CVE-2022-26925CVE-2021-36942 – Patch was regressed
Windows “Follina”CVE-2022-30190CVE-2021-40444 (2021 itw)
Atlassian ConfluenceCVE-2022-26134CVE-2021-26084 (2021 itw)
Chromium IntentsCVE-2022-2856CVE-2021-38000 (2021 itw)
Exchange SSRF “ProxyNotShell”CVE-2022-41040CVE-2021-34473  “ProxyShell”
Exchange RCE “ProxyNotShell”CVE-2022-41082CVE-2023-21529 “ProxyShell”
Internet Explorer JScript9CVE-2022-41128CVE-2021-34480
Windows “Print Spooler”CVE-2022-41073CVE-2022-37987
WebKit JSCCVE-2022-428562016 bug discovered due to test failure

17 out of the 41 actively exploited zero-days from 2022 are variants of previously reported vulnerabilities, this data confirms a trend observed by the researchers in previous reports.

Another aspect highlighted by Google researchers is that as per the attackers’ arsenal N-days function like 0-days on Android due to long patching times. This means that threat actors can use n-days that functioned as 0-days for a long period of time.

Giving a close look at zero-day flaws disclosed by Google TAG, we can observe a 42% drop in the number of in-the-wild detected 0-days targeting browsers from 2021 to 2022 (from 26 to 15). The main reasons for this drop are browsers’ efforts to prevent exploitation and a shift in attacker behavior away from browsers towards 0-click exploits that target other components on the device. 

“Unlike many commodities in the world, a 0-day itself is not finite. Just because one person has discovered the existence of a 0-day vulnerability and developed it into an exploit doesn’t prevent other people from independently finding it too and using it in their exploit.” continues the report. “Most attackers who are doing their own vulnerability research and exploit development do not want anyone else to do the same as it lowers its value and makes it more likely to be detected and fixed quickly.”

Stone recommends vendors provide patches and mitigations to end-users as fast as possible and suggests sharing more details about the root causes of the flaws.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)



you might also like

leave a comment