Poor Software Patches Are Responsible for Half of All Zero-day Vulnerabilities
Project Zero Researchers Believe Software Vendors Should Analyse Security Vulnerabilities Underlying Causes.
Project Zero is a team of security researchers at Google that was established in 2014. Their primary mission is to investigate zero-day vulnerabilities in the hardware and software systems that people all around the globe rely on. Their purpose is to make the identification and exploitation of security vulnerabilities more difficult, and to greatly enhance the safety and security of the Internet for everyone. In other words, their goal is to make the Internet safer and more secure.
The researchers conduct vulnerability research on widely used software such as mobile operating systems, web browsers, and open source libraries. The researchers then use the results of this research to patch serious security vulnerabilities, improve our understanding of how exploit-based attacks function, and drive long-term structural improvements to security.
If major software companies had generated more comprehensive patches and carried out further testing, they would have been able to avoid the exploitation of half of the 18 ‘zero-day’ defects that were discovered and used in 2018, before a fix was made available to the general public.
Researchers at Google Project Zero (GPZ) have come to this conclusion after counting 18 zero-day defects so far in 2022, that have affected Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Atlassian’s Confluence servers.
Since GPZ only gathers data regarding zero-day vulnerabilities, also known as defects that are exploited by attackers before a patch is available, in major software products, the statistic does not include all software zero-days since it does not include all software faults.
Furthermore, according to GPZ, there have only been four really unique zero-days this year. This is due to the fact that attackers may modify vulnerabilities in order to circumvent superficial updates.
At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests. On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.
GPZ has been counting zero-days for the last five years, and in 2021, they discovered a greater number of them than in any of the previous years. There might be a number of contributing elements at play here. To begin, researchers may be able to spot instances of their exploitation in the wild at a higher rate than in the past. The code bases for browsers, on the other hand, have grown just as complicated as operating systems. Additionally, due to the loss of browser plugins such as Flash Player, browsers have become a primary target for cybercriminals.
As ZDNet explains, despite the fact that improvements are being made throughout the industry in terms of detection, disclosure, and patching, the industry is not making zero-day hard, as memory corruption vulnerabilities accounted for 67 percent of the 58 zero-day exploits discovered in the wild in 2021.
Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer overflow was addressed by checking that a size was less than a certain number, but it didn’t check a minimum bound on that size. For more detailed explanations of three of the 0-days and how they relate to their variants, please see the slides from the talk.
When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.
Zero-day vulnerabilities feature serious security risks, leaving you exposed to zero-day attacks, which can further result in potential damage to your computer or personal data. To keep them both safe, it’s smart and highly recommended to take proactive and reactive security measures.