Pierluigi Paganini
July 03, 2022
Google Project Zero researcher Maddie Stone published a blog post that resumes her speech at the FIRST conference in June 2022, the presentation is titled “0-day In-the-Wild Exploitation in 2022…so far“.
Stone revealed that nine out of 18 zero-day flaws detected and disclosed as exploited in-the-wild in 2022 are variants of previously patched vulnerabilities
“As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests.” wrote Stone. “On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.”
This means that in many cases the attacks were not so sophisticated, instead threat actors that exploited the issue were able to come back and trigger the known vulnerability through a different path.
For example, the recently discovered Follina Windows vulnerability, tracked as CVE-2022-30190, is a variant of the CVE-2021-40444 MSHTML zero-day.
The following table includes the list of the zero-day and the associated variants:
| Product | 2022 ITW 0-day | Variant |
| Windows win32k | CVE-2022-21882 | CVE-2021-1732 (2021 itw) |
| iOS IOMobileFrameBuffer | CVE-2022-22587 | CVE-2021-30983 (2021 itw) |
| Windows | CVE-2022-30190 (“Follina”) | CVE-2021-40444 (2021 itw) |
| Chromium property access interceptors | CVE-2022-1096 | CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix) |
| Chromium v8 | CVE-2022-1364 | CVE-2021-21195 |
| WebKit | CVE-2022-22620 (“Zombie”) | Bug was originally fixed in 2013, patch was regressed in 2016 |
| Google Pixel | CVE-2021-39793** While this CVE says 2021, the bug was patched and disclosed in 2022 | Linux same bug in a different subsystem |
| Atlassian Confluence | CVE-2022-26134 | CVE-2021-26084 |
| Windows | CVE-2022-26925 (“PetitPotam”) | CVE-2021-36942 (Patch regressed) |
“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.” continues Stone. “To do that effectively, we need correct and comprehensive fixes.”
To properly address zero-day vulnerabilities Google researchers recommend platform security teams and other independent security researchers to invest in root cause analysis, variant analysis, patch analysis, and exploit technique analysis.
“Transparently sharing these analyses helps the industry as a whole as well. We publish our analyses at this repository. We encourage vendors and others to publish theirs as well.” concludes Stone. “This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, zero-day)
[adrotate banner=”5″]
[adrotate banner=”13″]
