A latest study by Google’s Project Zero team shows that 58 zero-day vulnerabilities were discovered over the past year, a record since 2015. Detection capacity and more frequent disclosure of vulnerabilities explain this growth in particular.
After an air pocket in 2018, the number of zero-day vulnerabilities detected by Project Zero, Google’s cybersecurity research team, has started to rise again in recent years. To the point of reaching sixty – 58 to be precise – in 2021. This is the highest number since 2014, when the Mountain View firm began tracking down this type of fault. The report published by the publisher concerns not the flaws used but those detected and disclosed. At first glance, this rebound may seem worrying but must first be put into context: “we believe that the sharp increase in zero-day vulnerabilities in 2021 is due to increased detection and disclosure rather than a simple increase in the use of 0-day exploits,” explained Project Zero. “While we recognize the industry’s improvement in detecting and disclosing zero-day vulnerabilities, we also observe that there is still more to be done.”
Of the 58 zero days detected in 2021, 39, or 67%, were related to memory corruption including bugs of incorrect use of dynamic memory while a program is running (use-after-free), writing data after the end or before the start of buffering (out-of-bounds read & write), buffer overflow (buffer overflow) or integer overflow (integer overflow). In its study, Project Zero detailed the main zero-day vulnerabilities by component: Chromium (14), Windows (10), Android (7), WebKit (7), iOS/macOS (5), Exchange Server (5) and IE (4).
Evolution of the number of zero-day flaws detected over the past years. (credit: Google Project Zero)
Efforts by solution providers to detect zero days
For years to come, Google security researchers expect to see further growth in the number of zero-day vulnerabilities discovered. An observation which must above all serve as an awareness and additional means of action to be put in place: “all suppliers must agree to disclose the state of exploitation of vulnerabilities in their security bulletins, to share samples more widely exploits or their detailed technical descriptions, and pursue concerted efforts to reduce memory corruption vulnerabilities or render them inoperable,” the study explains. Between 2018 and 2021, publishers have already made notable efforts to detect zero-day vulnerabilities in their products, which have steadily increased over this period, from less than 5 in 2019 to more than 15 in 2021.
In addition to the general improvement in the detection capabilities of this type of particularly dangerous flaws, Google researchers also point to a better disclosure capacity on the part of suppliers. “Apple and Google on Android began labeling vulnerabilities in their security advisories with information about potential exploitation in the wild in November 2020 and January 2021 respectively. […] Congratulations and thanks to Microsoft, Google Chrome and Adobe who have been annotating their security bulletins for several years now for more transparency! And thanks to Apache who also documented their release notes for CVE-2021-41773 last year,” Project Zero said in particular. “It is very likely that in 2021, other zero days have been exploited in the wild and detected, but the editors did not mention this in their release notes. In 2022, we hope more vendors will start to signify when they fix vulnerabilities that have been exploited in the wild”