Google’s in-house security team has warned that zero-day security threats are becoming a bigger risk than ever before.
In its annual round-up of the zero-day threat landscape, the Google Project Zero team noted that 58 distinct threats were identified in 2021, the biggest number seen since it began investigating back in 2014.
This is up from the 25 exploits discovered in 2020, and nearly double the amount seen for most years covered by the investigation.
Zero-day threat
Somewhat dishearteningly, the team noted that methodology used by zero-day attackers doesn’t appear to have changed or evolved much from previous years, with the same bug patterns and exploitation techniques still proving popular.
“When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities,” wrote Google. “We’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn’t what the data showed us this year.”
However, Google does also note that the increase in reported zero-days may actually be a good thing, as it means more threats are being reported and publicly disclosed.
“We perform and share this analysis in order to make 0-day hard,” Maddie Stone from the Project Zero team wrote in a blog post announcing the findings. “We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities.”
“2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard over and over and over about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world.”
“The decisions we make in the security and tech communities can have real impacts on society and our fellow humans’ lives.”
Overall, Google says the industry does appear to be improving when it comes to the “detection and disclosure” of zero-day exploits, but it does warn that these are still “baby steps”.
The company is calling for a number of steps to boost progress, including establishing an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited.
Google also says that vendors and security researchers alike should do better at sharing exploit samples or techniques, and more effort is also needed on reducing memory corruption vulnerabilities or rendering them unexploitable.