Of the 58 zero-day exploits in popular software that Google's Project Zero tracked in 2021, only two were particularly novel, while the rest relied on the same techniques over and again.
That's both good and bad news for the software industry.
2021 was a record year in terms of the number of zero-day flaws in software like Chrome, Windows, Safari, Android, iOS, Firefox, Office and Exchange that Google Project Zero (GPZ) tracked as being exploited in the wild before a vendor patch was available.
At 58, that was more than double the annual rate of discovery and detection of zero-day exploits in the wild since GPZ started tracking zero days in mid-2014.
Google security researchers have previously pointed out the problems with deriving trends from data about zero days in the wild. For example, just because a bug wasn't spotted, that doesn't mean it wasn't being used. Google has argued that detection is getting better. But there was also a major gap in information: there were only five samples of the exploits used against each of the 58 vulnerabilities.
While zero days that are discovered in the wild are a "failure" for attackers, Maddie Stone, a researcher with GPZ, points out in a blogpost that "without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method."
This focus means that attackers are able to continue using their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method, she says.
Attackers, she notes, are successfully using the same bug patterns and exploitation techniques and going after the same attack surfaces. This repetition means attackers aren't yet being forced to invest in new methods and raises questions about how much the industry is raising the cost for attackers.
"Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox," she notes.
To make progress in 2022, GPZ hopes to see all vendors agree to disclose that a flaw is being exploited in the wild in their bug bulletins, as Google's Chrome security team routinely does. Apple disclosed that status for iOS for the first time in 2021.
It also wants exploit samples or detailed technical descriptions of the exploits to be shared more widely.
Stone notes that 67% – or 39 – of the 58 in-the-wild 0-days for the year were memory corruption vulnerabilities.
GPZ's conclusion is that the industry made some progress in 2021 through better detection and disclosure, but Stone adds that "as an industry we're not making 0-day hard."
As she explains: "The goal is to force attackers to start from scratch each time we detect one of their exploits: they're forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method."