The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day flaws exploited in-the-wild [2021, 2020, 2019], it is built off of the mid-year 2022 review.
In 2022, the researchers disclosed 41 actively exploited zero-day flaws, which marks the second-most ever recorded since we began tracking in mid-2014. In 2021 the number of zero-days discovered by the researchers were 69 detected.
The number of zero-day vulnerabilities actively exploited in the wild dropped also due 0-click exploits and new browser mitigations implemented by software vendors.
“Many attackers have been moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the browser. In addition, all major browsers also implemented new defenses that make exploiting a vulnerability more difficult and could have influenced attackers moving to other attack surfaces.” reads the report published by Google TAG.
However, the researchers pointed out that the 40% drop is not only caused by improved security of software and hardware vendors.
One of the most interesting data that emerged from the report is that over 40% of the 0-days discovered were variants of previously reported vulnerabilities. Below is the list of zero-day flaws that were variants of previously reported bugs:
|2022 ITW CVE
|CVE-2021-1732 (2021 itw)
|CVE-2021-30983 (2021 itw)
|Bug was originally fixed in 2013, patch was regressed in 2016
|Firefox WebGPU IPC
|Fuzzing crash fixed in 2021
|Android in ARM Mali GPU
|CVE-2021-28664 (2021 itw)
|CVE-2020-12271 (2020 itw)
|CVE-2021-30551 (2021 itw)
|CVE-2021-36942 – Patch was regressed
|CVE-2021-40444 (2021 itw)
|CVE-2021-26084 (2021 itw)
|CVE-2021-38000 (2021 itw)
|Exchange SSRF “ProxyNotShell”
|Exchange RCE “ProxyNotShell”
|Internet Explorer JScript9
|Windows “Print Spooler”
|2016 bug discovered due to test failure
17 out of the 41 actively exploited zero-days from 2022 are variants of previously reported vulnerabilities, this data confirms a trend observed by the researchers in previous reports.
Another aspect highlighted by Google researchers is that as per the attackers’ arsenal N-days function like 0-days on Android due to long patching times. This means that threat actors can use n-days that functioned as 0-days for a long period of time.
Giving a close look at zero-day flaws disclosed by Google TAG, we can observe a 42% drop in the number of in-the-wild detected 0-days targeting browsers from 2021 to 2022 (from 26 to 15). The main reasons for this drop are browsers’ efforts to prevent exploitation and a shift in attacker behavior away from browsers towards 0-click exploits that target other components on the device.
“Unlike many commodities in the world, a 0-day itself is not finite. Just because one person has discovered the existence of a 0-day vulnerability and developed it into an exploit doesn’t prevent other people from independently finding it too and using it in their exploit.” continues the report. “Most attackers who are doing their own vulnerability research and exploit development do not want anyone else to do the same as it lowers its value and makes it more likely to be detected and fixed quickly.”
Stone recommends vendors provide patches and mitigations to end-users as fast as possible and suggests sharing more details about the root causes of the flaws.
(SecurityAffairs – hacking, zero-day)