Google: Half of zero-day flaws are linked to bad patches

Half of the 18 zero-day bugs that were exploited this year could have been avoided if the major software vendors had created more comprehensive patches and performed more testing.

That’s the verdict of researchers from the Google Project Zero team, which has identified 18 zero-day bugs so far in 2022 affecting Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Google’s Confluence server. ‘Atlasian.

It’s in the old cracks that we make the best exploits

Project Zero only collects data on “zero day” vulnerabilities, bugs exploited by attackers before a fix is ​​available, in major software, so the figure does not include all 0 vulnerabilities. -day discoveries in software.

Additionally, according to Project Zero, there have only been four truly unique zero-day flaws this year, as attackers simply modify their exploits to circumvent partial patches.

“At least half of the zero-day flaws we observed in the first six months of 2022 could have been avoided with more comprehensive patching and regression testing. In addition, four of the zero-day flaws in 2022 are variants zero-day vulnerabilities of 2021. Just twelve months after the first zero-day was patched, attackers have returned with a variant of the original bug,” Project Zero member Maddie Stone wrote in a blog post.

She adds that at least half of the zero-day flaws “are closely related to bugs we’ve seen before.”

This lack of originality is in line with a trend that Stone and others at Google have recently highlighted.

More 0 days were found in 2021 than in the last five years that Google Project Zero has counted them. Several factors are potentially at play. First, researchers may be better able to detect their exploitation by attackers than before. On the other hand, the source code of browsers has become as complex as the operating systems. Additionally, browsers have become a direct target, following the disappearance of browser plug-ins like Flash Player.

Industry practices to review

However, as detection, disclosure and patching improve across the industry, Maddie Stone has previously argued that the industry “isn’t making 0 days harder”. She wants the industry to eliminate entire classes of security flaws.

For example, 67% of the 58 0day flaws were memory corruption vulnerabilities.

Chrome’s security team is working on fixes for memory flaws stemming from the browser’s huge code base written in C++, but mitigations come at a performance cost. Chrome can hardly be rewritten in Rust, which offers better memory safety guarantees than C and C++.

Maddie Stone also points out that Microsoft’s Windows team and Google’s Chrome team have provided partial fixes.

“Many of the 2022 zero day flaws are due to the previous vulnerability not being fully patched. , but the root cause has not been addressed: attackers may have come back and triggered the original vulnerability through a different path,” she said.

“In the case of WebKit and Windows PetitPotam, the original vulnerability had already been patched, but at some point it regressed so that attackers could exploit the same vulnerability again.”

Here is the list of zero days exploited in 2022 that Google Project Zero has tracked until June 15:

  • Windows win32k: CVE-2022-21882, variant of CVE-2021-1732 (2021);
  • iOS IOMobileFrameBuffer: CVE-2022-22587, variant of CVE-2021-30983 (2021);
  • Windows: CVE-2022-30190 (“Follina”), variant of CVE-2021-40444 (2021);
  • Chromium property access interceptors: CVE-2022-1096, variant of CVE-2016-5128, CVE-2021-30551 (2021) and CVE-2022-1232;
  • Chromium v8: CVE-2022-1364, variant of CVE-2021-21195;
  • WebKit: CVE-2022-22620 (“Zombie”), originally patched in 2013 but reverted in 2016;
  • Google Pixel: CVE-2021-39793 (CVE says 2021, but flaw was disclosed and patched in 2022), variant of a similar Linux flaw, in a different subsystem;
  • AtlassianConfluence: CVE-2022-26134, variant of CVE-2021-26084;
  • Windows: CVE-2022-26925 (“PetitPotam”), variant of CVE-2021-36942 (regressed patch).

Source: “”

Leave a Comment