Last year, the tech industry detected and disclosed 58 zero-day exploits, the most ever recorded in a single year, according to Google.
The number represents a drastic increase from the 25 zero-day exploits the industry detected in 2020, but it doesn’t necessarily mean our software is becoming more insecure. Instead, Google says: “We believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.”
The company announced the findings in a Tuesday blog post. Since 2014, the search giant has been tracking zero-day exploits, or computer hacks that leverage a previously unknown vulnerability that has no patch. The goal behind the tracking is to analyze trends and gauge whether the industry is doing enough to stop the problem.
Although the number of zero-days shot up in 2021, so did the number of organizations reporting the threats, which reached 20, or double from the year before. “Anecdotally, we hear from more people that they’ve begun working more on detection of 0-day exploits,” Google added. “It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.”
The other factor is how both Google’s Android team and Apple are properly annotating when a disclosed vulnerability is a zero-day exploit, rather than leaving it unclear. As a result, another 12 zero-day exploits were added to the 2021 list.
Increased transparency is good for IT security. But one lingering problem is how many of the zero-day exploits detected in 2021 are variations of existing, publicly known hacking techniques.
“When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities,” the company said, while adding: “We’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn’t what the data showed us this year.”
Instead, the hackers behind the zero-day attacks probably had an easier time to develop their exploits. Google added that a majority of the zero-day attacks—67%—leveraged memory corruption vulnerabilities, which usually stem from programming errors in the computer code.
Only two vulnerabilities that stood out to the company involved last September’s ForcedEntry zero-day exploit, which targeted iOS and Mac devices and likely came from an Israeli spyware company called NSO Group. The ForcedEntry exploit was so powerful it was capable of taking over an iPhone simply by sending a message to the victim, no user interaction required. Google described this zero-click attack as an “impressive work of art” for its technical sophistication and its use of logic flaws instead of memory corruption bugs.
Recommended by Our Editors
The company’s report goes on to document the vulnerabilities detected in products such as Microsoft Windows, Internet Explorer, Chrome, and Android. However, Google noted its tracking of publicly known zero-day attacks is far from thorough.
For example, some platforms—such as WhatsApp, Signal, Telegram—reported no zero-day vulnerabilities in 2021, even though all three messaging apps are major targets for hacking. “This leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?” the company said.
The other problem is how the tech industry often focuses on disclosing the vulnerabilities, but will often say little on the various methods the hackers used to deliver the attacks. “This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method,” the company said.
In response, Google is calling on the tech industry to share “exploit samples or detailed technical descriptions of the exploits…more widely when disclosing zero-day vulnerabilities.” In addition, the company is urging vendors to do more to crack down on memory corruption bugs or render them unexploitable.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.