In 2022, the detection of zero-day exploits in the wild decreased by 40% compared to the previous year. Despite this drop, it is important to note that 41 zero-day exploits were still detected, which is a significant number. This decline in numbers does not necessarily indicate improved product security or better detection by defenders.
According to Google’s 2020 findings, the percentage of exploited zero-days linked to disclosed vulnerabilities increased from 25% to over 40% in 2022, with 17 of the 41 zero-days connected to disclosed vulnerabilities. Additionally, over 20% of the zero-days detected were variants of previous ones, highlighting the need for prompt patching to address these variants and n-days posing as zero-days.
Google researchers anticipate that the industry should focus on enhancing patching to address variants and n-days, adopting browser-like mitigations to reduce the exploitability of entire vulnerability classes, and increasing transparency and collaboration between vendors and defenders to detect exploit chains across multiple products.
It is important to note that the detection and disclosure of zero-days in the wild serve as just one indicator for security experts. The 40% drop in 2022 can be attributed to a mix of improvements and regressions, resulting in a higher-than-average count of zero-days for that year.
One of the reasons why zero-days are still a significant threat is the gaps between upstream vendors and downstream manufacturers. These gaps allow n-days, which are vulnerabilities that are not publicly known or patched, to act as zero-days due to the lack of available patches. This leaves users with limited defenses against these exploits. Android experiences more prevalent and extended gaps in such associations, making it a target for attackers.
In addition to the general decrease in detected zero-days, there was also a 42% reduction in browser zero-days in 2022. This could be attributed to increased exploit mitigations by manufacturers and attackers shifting their focus to other areas. For example, attackers favored zero-click exploits in 2022, targeting non-browser components like iMessage.
Zero-click exploits require a visible link that targets must click, potentially making them detectable by security tools. These exploits are hosted on a server at that link and can be navigated by attackers.
In the second half of 2023, Google’s 0-days in-the-wild program will be moving from Project Zero to TAG (Threat Analysis Group), combining vulnerability analysis, detection, and threat actor tracking expertise into one team. This will introduce TAG Exploits, which will further enhance Google’s efforts in combating zero-day exploits.
While the decrease in detected zero-days is a positive development, it is important to remain vigilant and continue to address the underlying vulnerabilities that allow these exploits to occur. Collaboration between vendors, defenders, and researchers will be crucial in staying ahead of attackers and minimizing the impact of zero-day exploits.
Overall, while the 40% drop in detected zero-days in 2022 may seem like a security win, it is essential to recognize that zero-day exploits continue to pose a significant threat. The ongoing efforts to improve product security, enhance detection capabilities, and increase collaboration will be vital in mitigating this risk.