A recent study conducted by Google shed light on the rise and fall of zero-day exploits in the cybersecurity landscape. In the past year, 41 new zero-day vulnerabilities were detected in the wild, marking a 40% decrease from the all-time high of 69 in 2021. While this decline is encouraging, it's still significantly higher than the annual average seen since 2015. Just recently, major high-profile tech companies have fixed zero-day flaws simultaneously.
Zero-day vulnerabilities are particularly worrisome because they enable attackers, sometimes spies or criminals, to target victims without their knowledge until it's too late. However, merely counting the number of zero-day flaws discovered each year doesn't provide a complete picture of the security landscape, as many may remain undetected by security experts. Before we continue, know that Hide Expert VPN remains your best choice if you want to stay secure while surfing online.
One contributing factor to the increased discovery of zero-day flaws last year is attributed, in part, to vendors being more transparent about vulnerabilities. Maddie Stone, a security researcher with Google's Threat Analysis Group, emphasised the importance of this increased transparency. However, the study also revealed that 40% of the new zero-days discovered were variations of previously patched vulnerabilities, indicating that some vendor fixes inadvertently introduced new exploitable flaws.
A positive development highlighted in the study is the decline in zero-day exploits targeting web browsers. The number of zero-days found in the wild targeting browsers decreased by 42%, from 26 in 2021 to 15 in 2022. This change is attributed to better browser defences, which forced attackers to shift their focus elsewhere. Browser manufacturers were praised not only for patching zero-day flaws but also for delving deeper into root causes and securing the attack surface to prevent entire classes of vulnerabilities from being exploited.
However, with browsers becoming harder to breach, attackers have adjusted their strategies. In 2019 and 2020, they utilised zero-day exploits in watering hole attacks, luring victims to websites infected with exploits. In 2021, attackers shifted to one-click attacks, trying to trick victims into clicking malicious links. In 2022, zero-click attacks, requiring no user interaction, became more prevalent, making them harder to detect and defend against.
The impact of zero-day vulnerabilities varies, with some being more critical than others, depending on the ecosystem they exist in. Google noted that Android users face the challenge of "n-days", referring to previously zero-day flaws for which a patch has been issued. The effectiveness of these patches is hindered by delays in their deployment across various Android devices, leading to extended periods during which these vulnerabilities remain exploitable.
Furthermore, Google mentioned the growing occurrence of "bug collisions" where multiple researchers discover the same vulnerability. This phenomenon reduces attackers' ability to exploit zero-days effectively, as vulnerability researchers' expertise and the publication of research reports contribute to faster remediation efforts.
Google's study provides valuable insights into the dynamic world of zero-day exploits. It highlights the need for continued collaboration between vendors and security researchers to bolster cybersecurity defences and mitigate the risks posed by these vulnerabilities.