Security researchers at Google have called 2020 the year of zero-day exploits owing to the large number of these vulnerabilities that were detected and fixed last year.
In a year-in-review post, the researchers shared that while they are still a long way off from detecting the zero-day exploits in the wild, surprisingly a quarter of them stem from previously disclosed vulnerabilities and could have easily been prevented.
“1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored,” wrote Maddie Stone, a security researcher in Google’s Project Zero team.
- We've put together a list of the best endpoint protection software
- Here’s our list of the best disaster recovery services
- Take a look at these best malware removal software
Fool me twice
According to Stone, last year Project Zero unearthed 24 zero-day exploits that were being actively used in the wild.
In her post, she breaks down six of them to reveal how they were related to previously disclosed vulnerabilities. "Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit," she writes.
As she breaks down the six vulnerabilities the team discovered in Chrome, Firefox, Internet Explorer, Safari, and Windows, Stone notes that they were the result of improper fixes. Surprisingly, her analysis also revealed that three of the vulnerabilities that were patched in 2020 were again “either not fixed correctly or not fixed comprehensively.”
Stone asks vendors to make all the investment required to release correct and comprehensive patches for vulnerabilities that cover all its variants: “Many times we’re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths.”
Stone also puts some onus on the security researchers as well who should do a better job of following up and testing the patch.
“We would really like to work more closely with vendors on patches and mitigations prior to the patch being released,” she suggests, adding that “early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.”
- Protect your devices with these best antivirus software