Last year, more than double the published vulnerabilities in 2020
Online security and user experience go hand in hand – no one will want to use even the smartest phone in the world if it leaves you open to hackers. This is why developers are constantly working behind the scenes to keep users safe, but inevitably some security flaws go unnoticed. Perhaps the most frightening class are zero-day exploits, where there is no patch to fix these holes once the attacks land. This week, Google looks back on efforts to detect these vulnerabilities, and with 58 of them discovered and revealed in 2021, 0-days had their busiest years yet.
These 58 zero-days found in 2021 represent more than double the 25 exploits discovered in 2020. Does this mean that software is becoming more insecure or that hackers have doubled their efforts? Instead, Google suggests that the trend is more likely the result of improved detection of zero-day problems by people like Microsoft, Apple, and Google itself.
The post breaks down 2021 zero-day exploits in great detail, but what stands out most is how far behind many vendors are in taking steps to do something about known vulnerabilities. Google’s Project Zero (a team of elite bug-hunters) aims to make it more costly, resource-intensive, and generally harder for attackers to use zero-days, but it’s largely a work in progress. Of the zero days detected, only two (targeted at iOS and Mac devices) really were new-new. The rest were variations of well-known errors, with most (67%) being a variation of memory corruption vulnerabilities. The implication is that hackers do not have to try near as much as we hope they would to find new attacks.
Google warns that its record of zero-day attacks is not as comprehensive as it could be. For example, messaging platforms like WhatsApp, Signal and Telegram did not report any zero-day vulnerabilities in 2021, which is surprising given that all three apps are major hacking targets. In fact, since Google began tracking in 2014, only two zero-days for messaging apps have been reported: WhatsApp in 2019 and iMessage in 2021. The company suspects that lack of discovery or disclosure may be the reason these numbers are so low – not that vulnerabilities do not necessarily exist.
Google hopes the technology industry will share more exploitation examples with detailed technical descriptions when revealing zero-day vulnerabilities. In addition, it urges vendors to do more to make memory corruption errors unusable. In the meantime, you can do your best to protect your devices from malware by making sure your software is up to date.
Do not miss this rare discount on the latest iPad Pro at Amazon
About the author