31 July 2023

Google: Over 40% of 0Days discovered in 2022 were variations of previously disclosed bugs


Google: Over 40% of 0Days discovered in 2022 were variations of previously disclosed bugs

Forty-one actively exploited zero-day vulnerabilities were detected and disclosed in 2022, down from 69 zero-days in 2021, according to Google’s fourth annual review of zero-day flaws exploited in the wild.

However, Maddie Stone of Google’s Threat Analysis Group warns that while a 40% drop might seem significant, the picture is more complicated and the decrease in numbers is not necessarily means that product security is getting better.

The report says that more than 40% of zero-day vulnerabilities discovered in 2023 were variants of the previously disclosed flaws, including seven from 2021 and one from 2020.

“Two key factors contributed to the higher than average number of in-the-wild 0-days for 2022: vendor transparency and variants. The continued work on detection and transparency from vendors is a clear win, but the high percentage of variants that were able to be used in-the-wild as 0-days is not great,” Maddie Stone wrote in a blog post.

Another issue the report highlights relates to so-called N-days, an exploited vulnerability that has a patch available. The problem here is that due to long patching times many N-day vulnerabilities function on Android as zero-days, exposing users to a risk of attacks.

Google also reported a 42% decline in the number of detected in-the-wild 0-days targeting browsers from 2021 to 2022, dropping from 26 to 15. The researchers believe that this is a result of browser makers’ efforts to make exploitation more difficult, as well as a shift in attacker behavior away from browsers towards 0-click exploits that target other components on the device.

“Many attackers have been moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the browser. In addition, all major browsers also implemented new defenses that make exploiting a vulnerability more difficult and could have influenced attackers moving to other attack surfaces,” Maddy Stone wrote.

“When a 0-day is caught in the wild it’s a gift. Attackers don’t want us to know what vulnerabilities they have and the exploit techniques they’re using. Defenders need to take as much advantage as we can from this gift and make it as hard as possible for attackers to come back with another 0-day exploit,” she added.


Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024