Google’s internal security team has warned that zero-day security threats are becoming a bigger risk than ever.
In its annual roundup of the zero-day threat landscape, the Google Project Zero team noted that 58 separate threats had been identified in 2021, the highest number seen since the investigation began in 2014.
This represents an increase from the 25 exploits discovered in 2020, and nearly double the number seen in most of the years covered by the survey.
Zero Day Threat
Somewhat discouragingly, the team noted that the methodology used by zero-day attackers doesn’t appear to have changed or evolved much from previous years, with the same bug patterns and exploit techniques still proving popular.
“When we look at these 58 used 0 days in 2021, we instead see similar 0 days to previous, publicly known vulnerabilities,” Google wrote. “We expect that to be successful, attackers must find new bug classes of vulnerabilities in new attack surfaces using never-before-seen exploitation methods. In general, that’s not what the data has shown us this year.
However, Google also notes that the increase in the number of reported zero days may actually be a good thing, as it means more threats are reported and publicly disclosed.
“We perform and share this analysis to make 0-day difficult,” Maddie Stone of the Project Zero team wrote in a blog post announcing the results. “We want it to be more expensive, more resource-intensive, and overall harder for attackers to use 0-day capabilities.”
“2021 has highlighted how important it is to remain relentless in our pursuit to make it harder for attackers to exploit users with 0 days. We have heard time and time again how governments target journalists, minority populations, politicians, human rights advocates, and even security researchers around the world.”
“The decisions we make in the security and technology communities can have real impacts on society and the lives of our fellow human beings.”
Overall, Google says the industry appears to be improving when it comes to “detection and disclosure” of zero-day exploits, but warns that these are still “small steps”.
The company is calling for a number of measures to accelerate progress, including establishing an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest a vulnerability in their product is being exploited.
Google also says that vendors and security researchers should do better to share exploit samples or techniques, and that more efforts are also needed to reduce memory corruption vulnerabilities or render them inoperable.