Last year, the tech industry detected and disclosed 58 zero-day exploits, the most ever recorded in a single year, according to Google.
The number represents a drastic increase from the 25 zero-day exploits the industry detected in 2020, but it doesn’t necessarily mean our software is getting any more insecure. Instead, Google says, “We believe the large increase in 0-day wild in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased use of 0-day exploits.”
The company announced the findings in a blog post on Tuesday. Since 2014, the search giant has been tracking zero-day exploits, or hacks that take advantage of a previously unknown vulnerability that is unpatched. The goal behind monitoring is to analyze trends and assess whether the industry is doing enough to stop the problem.
While the number of zero days skyrocketed in 2021, so did the number of organizations reporting threats, reaching 20, or double the previous year. “Anecdotally, we’re hearing from more people who have started doing more work on zero-day exploit detection,” Google added. “It stands to reason that if the number of people working to try to find zero-day exploits increases, then the number of zero-day exploits detected may increase.”
The other factor is how both Google’s Android team and Apple are properly noting when a disclosed vulnerability is a zero-day exploit, rather than leaving it unclear. As a result, another 12 zero-day exploits were added to the 2021 list.
Greater transparency is good for IT security. But a persistent issue is how many of the zero-day exploits detected in 2021 are variations on existing, publicly known hacking techniques.
“When we review these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous, publicly known vulnerabilities,” the company said, adding: “We hope it succeeds, attackers would have to find new classes of vulnerability bugs in new attack surfaces using never-before-seen exploitation methods. Overall, that’s not what the data showed us this year.”
Instead, the hackers behind the zero-day attacks probably had an easier time pulling off their exploits. Google added that the majority of zero-day attacks, 67%, took advantage of memory corruption vulnerabilities, which typically stem from programming errors in computer code.
Only two vulnerabilities that stood out for the company involved last September’s ForcedEntry zero-day exploit, which targeted iOS devices and Macs and likely came from an Israeli spyware company called NSO Group. The ForcedEntry exploit was so powerful that it was able to take over an iPhone simply by sending a message to the victim, with no user interaction required. Google described this zero-click attack as an “impressive work of art” for its technical sophistication and use of logic flaws instead of memory corruption bugs.
Recommended by Our Editors
The company’s report continues to document vulnerabilities found in products such as Microsoft Windows, Internet Explorer, Chrome, and Android. However, Google noted that its tracking of publicly known zero-day attacks is far from exhaustive.
For example, some platforms, such as WhatsApp, Signal, Telegram, did not report zero-day vulnerabilities in 2021, even though all three messaging apps are major targets for hacking. “This begs the question of whether these 0 days are missing due to lack of detection, lack of disclosure, or both.” the company said.
The other issue is how the tech industry often focuses on disclosing vulnerabilities, but often says little about the various methods hackers used to launch attacks. “This means that attackers can continue to use their existing exploit methods instead of having to go back to the design and development phase to build a new exploit method,” the company said.
In response, Google calls on the tech industry to share “exploitation samples or detailed technical descriptions of vulnerabilities… more widely by disclosing zero-day vulnerabilities.” Additionally, the company is urging vendors to do more to crack down on memory corruption bugs or make them unexploitable.
Do you like what you are reading?
Enroll in security surveillance newsletter for our top privacy and security stories delivered directly to your inbox.