Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easy

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Of the 58 zero-day exploits in popular software that Google’s Project Zero tracked in 2021, only two were particularly novel, while the rest relied on the same techniques over and again. 

That’s both good and bad news for the software industry. 

2021 was a record year in terms of the number of zero-day flaws in software like Chrome, Windows, Safari, Android, iOS, Firefox, Office and Exchange that Google Project Zero (GPZ) tracked as being exploited in the wild before a vendor patch was available. 

At 58, that was more than double the annual rate of discovery and detection of zero-day exploits in the wild since GPZ started tracking zero days in mid-2014. 

SEE: These are the problems that cause headaches for bug bounty hunters

Google security researchers have previously pointed out the problems with deriving trends from data about zero days in the wild. For example, just because a bug wasn’t spotted, that doesn’t mean it wasn’t being used. Google has argued that detection is getting better. But there was also a major gap in information: there were only five samples of the exploits used against each of the 58 vulnerabilities. 

While zero days that are discovered in the wild are a “failure” for attackers, Maddie Stone, a researcher with GPZ, points out in a blogpost that “without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method.”

Read more

Explore the site

More from the blog

Latest News