Half of the 18 zero-day vulnerabilities that have been exploited this year could have been avoided, if the major software vendors had created more comprehensive patches and carried out more testing.
This is the verdict of researchers from the Google Project Zero team, which has identified 18 zero-day flaws so far in 2022. These affect Windows (Microsoft), iOS and WebKit (Apple), Chromium and Pixel ( Google), and the Confluence server (Atlassian).
It’s in the old cracks that we make the best exploits
Google Project Zero only collects data on zero-day flaws — bugs exploited by attackers before a fix is available — in major software, so the reported number doesn’t include all of them. 0day flaws discovered in software.
Additionally, according to the Google team, there have only been four truly unique zero-day flaws this year, as attackers simply modify their exploits to circumvent partial patches.
“At least half of the zero-day flaws we observed in the first six months of 2022 could have been avoided with more comprehensive patching and regression testing. Additionally, four of the 2022 zero-day flaws are variants of 2021 zero-day flaws. Just 12 months after the first 0day was patched, attackers came back with a variant of the original bug,” writes member Maddie Stone. Project Zero group, in a blog post.
She adds that at least half of the zero-day flaws “are closely related to bugs we’ve seen before.”
More and more zero days
This lack of originality is in line with a trend that Maddie Stone and other Google researchers have recently highlighted.
More zero-day flaws were found in 2021 than in the last five years that Google Project Zero has counted them.
Several factors are potentially at play. First, researchers may be better able to detect their exploitation by attackers than before. On the other hand, the source code of browsers has become as complex as the operating systems. In addition, browsers have become a direct target, following the disappearance of browser plug-ins like Flash Player.
Industry practices to review
But while detection, disclosure, and patching are improving across the industry, “we’re not making 0days hard (to create),” Maddie Stone points out. She wants the industry to eliminate entire classes of security flaws.
For example, 67% of the 58 zero-day flaws were memory corruption vulnerabilities.
Chrome’s security team is working on fixes for memory flaws stemming from the browser’s huge code base written in C++, but mitigations come at a performance cost. Chrome can hardly be rewritten in Rust, which offers better memory safety guarantees than C and C++.
Partial fixes
Maddie Stone also points out that Microsoft’s Windows team and Google’s Chrome team have provided partial fixes.
“Many of the 2022 zero-day flaws are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and Chromium property access interceptor bugs, the execution flow that the exploits targeted have been fixed, but the root cause has not been addressed: attackers were able to come back and trigger the original vulnerability through a path different,” she says.
“In the case of WebKit and Windows PetitPotam, the original vulnerability had already been patched, but at some point it regressed so that attackers could exploit the same vulnerability again. »
The flaws exploited this year
Here is the list of zero-day exploits exploited in 2022 that Google Project Zero tracked through June 15:
- Windows win32k: CVE-2022-21882, variant of CVE-2021-1732 (2021);
- iOS IOMobileFrameBuffer: CVE-2022-22587, variant of CVE-2021-30983 (2021);
- Windows: CVE-2022-30190 (“Follina”), variant of CVE-2021-40444 (2021);
- Chromium property access interceptors: CVE-2022-1096, variant of CVE-2016-5128, CVE-2021-30551 (2021) and CVE-2022-1232;
- Chromium v8: CVE-2022-1364, variant of CVE-2021-21195;
- WebKit: CVE-2022-22620 (“Zombie”), originally patched in 2013, but reverted in 2016;
- Google Pixel: CVE-2021-39793 (CVE says 2021, but flaw was disclosed and patched in 2022), variant of a similar Linux flaw, in a different subsystem;
- AtlassianConfluence: CVE-2022-26134, variant of CVE-2021-26084;
- Windows: CVE-2022-26925 (“PetitPotam”), variant of CVE-2021-36942 (regressed patch).
Source: ZDNet.com