The Google Project Zero
“Record year for in-the-wild 0-days”, Google Project Zero said in its annual report for 2021, after 58 security flaws were discovered and publicly revealed.
According to the information that has been revealed, more than twice as many 0-day exploits were discovered, compared to the previous high of 28 discovered in 2015. There were just 25 0-day vulnerabilities discovered in 2020.
The substantial rise of in-the-wild 0-days in 2021 is due to greater identification and disclosure of these 0-days, rather than merely increased use of 0-day vulnerabilities, Google Project Zero security researcher Maddie Stone explains in the report. According to Stone, Attackers are using the same bug patterns, exploitation methodologies, and attack surfaces.
In-house security experts at the IT company said that most of the exploits were identical to previously discovered and published vulnerabilities, with the exception of two that were noticeably distinct for their technical expertise and usage of logic faults to escape the sandbox.
Both of these zero-days are related to FORCEDENTRY, an iMessage zero-click vulnerability of the NSO Group, a surveillance ware company in Israel. Stone described the heist as an outstanding piece of art.
A breakdown analysis reveals that most of the in-the-wild 0-days come from Chromium – 14 in number, followed by 10 flaws in Windows, 7 in Android, 7 in WebKit/Safari, 5 in Microsoft Exchange Server, 5 in iOS/macOS, and 4 in Internet Explorer.
As per the analysis, out-of-bounds read and write, buffer overflow, use-after-free, and integer overflow problems all contributed to a total of 39 memory corruption vulnerabilities found in the wild in 2021.
For the record, 13 of the fourteen 0-days in the Chromium browser are memory corruption vulnerabilities, several of which are user-after-free vulnerabilities.
Google Project Zero also highlighted the absence of public evidence of 0-day flaws exploited in messaging services like WhatsApp, Signal, and Telegram, as well as other components, such as CPU cores, Wi-Fi chips, and the cloud, being exploited in the wild. According to Stone, this raises the question of whether these 0-days are missing owing to a lack of detection, a lack of disclosure, or both.
Still, the report concludes that the cybersecurity industry has made significant progress in the discovery and disclosure of 0-day vulnerabilities over the last several years. In addition, the improved identification and disclosure have uncovered new avenues for growth.
The post suggests specific initiatives that the tech and security industry may take. For instance, when there is proof that a vulnerability in a product is being exploited, all vendors should publicly report this information. There should also be a practice of sharing exploit samples or extensive explanations of the exploit methodologies by vendors and security researchers, as well as consistent efforts to reduce or eliminate memory corruption vulnerabilities.