Google Project Zero known as 2021 a “record year for in-the-wild 0-days,” as 58 safety vulnerabilities had been detected and disclosed in the course of the course of the 12 months.
The growth marks greater than a two-fold leap from the earlier most when 28 0-day exploits had been tracked in 2015. In distinction, solely 25 0-day exploits had been detected in 2020.
“The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits,” Google Project Zero safety researcher Maddie Stone mentioned.
“Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” Stone added.
The tech large’s in-house safety staff characterised the exploits as just like earlier and publicly identified vulnerabilities, with solely two of them markedly totally different for the technical sophistication and use of logic bugs to flee the sandbox.
Both of them relate to FORCEDENTRY, a zero-click iMessage exploit attributed to the Israeli surveillanceware firm NSO Group. “The exploit was an impressive work of art,” Stone mentioned.
The sandbox escape is “notable for using only logic bugs,” Google Project Zero researchers Ian Beer and Samuel Groß defined final month. “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.”
A platform-wise breakdown of those exploits reveals that a lot of the in-the-wild 0-days originated from Chromium (14), adopted by Windows (10), Android (7), WebKit/Safari (7), Microsoft Exchange Server (5), iOS/macOS (5), and Internet Explorer (4).
Of the 58 in-the-wild 0-days noticed in 2021, 39 had been reminiscence corruption vulnerabilities, with the bugs stemming as a consequence of use-after-free (17), out-of-bounds learn and write (6), buffer overflow (4), and integer overflow (4) flaws.
It’s additionally value noting that 13 out of the 14 Chromium 0-days had been reminiscence corruption vulnerabilities, most of which, in flip, had been use-after-free vulnerabilities.
What’s extra, Google Project Zero identified the shortage of public examples highlighting in-the-wild exploitation of 0-day flaws in messaging providers like WhatsApp, Signal, and Telegram in addition to different elements, together with CPU cores, Wi-Fi chips, and the cloud.
“This leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?,” Stone mentioned, including, “As an industry we’re not making 0-day hard.”
“0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits,” forcing them “to start from scratch each time we detect one of their exploits.”