Quick fixes for zero-day vulnerabilities are giving rise to fresh issues for security teams, a new Google report suggests.
According to cybersecurity researchers at Google Project Zero, half of the 18 zero-days found in major software this year could have been prevented had developers done a better job at patching (opens in new tab) the original flaw.
What’s more, four of the zero-days discovered this year are spin-offs of bugs originally identified in 2021.
Browsers are a major target
"At least half of the 0-days we've seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests," said Maddie Stone, one of the researchers.
"On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug."
In total, there were more zero-days discovered in 2021 than in the past five years. But while sloppiness may be a contributing factor, it’s not the only cause of this rise, it was said.
> Google says 2021 was a record year for zero-day hacks (opens in new tab)
> This dangerous Microsoft Office zero-day is now being exploited in the wild (opens in new tab)
> Best identity theft protection of 2022 (opens in new tab)
There’s also the fact that, since the demise of the Flash player, cybercrooks have turned their attention towards browsers as their next biggest target. There’s also the fact that browsers have become so big that their code volume rivals that of certain operating systems.
To top it off, researchers have probably gotten better at detecting zero-days being exploited on endpoints (opens in new tab) in the wild than they were five years ago.
Google itself has patched four zero-day vulnerabilities in its Chrome browser, this year alone.
- These are the best antivirus solutions (opens in new tab) around
Via ZDNet (opens in new tab)