Google records number of zero-day leaks in the first half of 2021


The year isn't over yet, but Google has already registered a record number of zero-day vulnerabilities that were actively exploited before security updates were available. Zero-day leaks are of great interest to attackers because targets are unaware that they are vulnerable and vendor patches are missing. Google has been keeping a list of such vulnerabilities and attacks for several years now.


The overview goes back to 2014. According to Google's figures, 2015 was the previous "record year", when 28 zero-day leaks were observed. In the first six months of this year, the tech company has already registered 33 zero days in various platforms and programs. These are Apple Webkit (6), Microsoft Windows (6), Google Chrome (5), Android (5), Microsoft Exchange (4), Adobe Reader (3), Internet Explorer (2), Apple iOS (1) and Windows Defender (1). Many of these attacks do not require any victim interaction, other than visiting a compromised or rogue website, for example.


Maddie Stone of Google Project Zero recently said at a conference that researchers now have a better view of the attacks taking place, rather than just a small portion. The Google Project Zero team that Stone is part of has the motto "make zero-day hard." The intention is to make it more difficult for attackers to deploy zero-days. For example, the application of new techniques should make the development of exploits more difficult.


In addition, according to Stone, software vendors should develop better security updates to ensure that related vulnerabilities are covered by a single patch. The current patch methods do not make it more difficult to find other zero days, Stone says. Earlier this year, Google reported that a quarter of the zero days discovered in 2020 could have been prevented by better patches from suppliers.


Another point that comes into play is zero-day trading. One of the zero-day leaks recently discovered by Google appears to have been developed by a commercial exploitation company, according to the tech company . Civil rights groups such as the US EFF and Bits of Freedom and privacy researchers have often criticized companies that offer zero-day leak exploits in the past. It would be unclear where the exploits end up and who uses them. Also, the software developers in question are not informed, putting all users of a particular platform at risk.



Previous Post Next Post