Google Project Zero, an in-house team of security researchers who study zero-day hardware and software vulnerabilities, has detected 58 such vulnerabilities used in the wild in 2021, roughly one per week and more than double the number in 2020.
According to the group’s annual report, ominously entitled The More You Know, The More You Know You Don’t Know, the count is double the previous maximum of 28 detected in 2015. On a more optimistic note, however, the analysts credited the “large uptick” to better detection and disclosure rather than “increased usage” of zero-day exploits.
“We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities,” the unit said in a blog post. Of the 58 zero-days used in 2021, all but two are similar to previous and publicly known vulnerabilities, the researchers said. One stood out for technical sophistication and another for its use of logic bugs to escape the sandbox.
A number of the most popular applications or platforms were regular targets of zero-day exploits:
- Google Chrome: 14
- Safari: 7
- Internet Explorer: 4
- Windows: 10
- macOS & iOS: 5
- Android: 7
- Microsoft Exchange Server: 5
Despite the record number of zero-days found in 2021, there could be many more. For example, messaging applications are known targets of attackers but only one zero-day was found for 2021. Moreover, since Project Zero has been tracking zero-day exploits eight years ago there’s only been two in messaging apps. In addition, there are no known in-the-wild zero-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip.
“As an industry we’re not making 0-day hard,” the analysts said. “The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method."
The team offered three “concrete steps” that the tech and security industries can take:
- Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,
- Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.
- Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.