Introduction: Executive Summary

Google’s Threat Analysis Group presents a comprehensive review of 0-days exploited in-the-wild during 2022. A total of 41 in-the-wild 0-days were detected and disclosed, making it the second-highest number since tracking began in mid-2014. However, this figure reflects a 40% decline compared to the previous year. In this report, we analyze the trends, gaps, lessons learned, and successes of these 0-day exploits to gain valuable insights into the state of online security.

Key Takeaways from 2022 Include:

1. N-days functioned as 0-days on Android due to slow patching times.

2. 0-click exploits and new browser mitigations reduced browser 0-days.

3. Over 40% of the 0-days discovered were variants of previously reported vulnerabilities.

4. The high occurrence of bug collisions poses challenges for both attackers and defenders.

5. Recommendations include focusing on comprehensive and timely patching, broader mitigations, transparency, and collaboration across the industry.

6. Continued growth of transparency and collaboration between vendors and security defenders to share technical details and work together to detect exploit chains that cross multiple products.

By the Numbers

Throughout 2022, the 41 in-the-wild 0-days were distributed evenly across the year, with 20 discovered in the first half and 21 in the second half. However, in 2021, 20 organizations were credited with the 69 detected 0-days, while in 2022, 18 organizations were credited with the 41 0-days that was detected. In view of this, it is encouraging to see the number of organizations working on 0-days detection to increase as the need for solving this problem is high.

Limits of Number of 0-days as a Security Metric

It’s important to note that the number of detected and disclosed 0-days in 2022 alone cannot accurately depict the state of security. Numerous factors can influence this metric, leading to both positive and negative changes. For example, from 2021 to 2022, there was a believe that the combination of security improvement and regressions influence the 40% drops in the number of detected and disclosed 0-days. Therefore, a more in-depth analysis is required to understand the underlying causes and devise effective security measures.

Factors that could cause the detected and disclose in-the-wild 0-days to rise

1. Security Improvement: Attackers require more 0-days to maintain the same capability
2. Security Regressions: 0-days are easier to find and exploit.

Factors that could cause the detected and disclose in-the-wild 0-days to decline.

1. Security Improvement: 0-days takes more time, money and expertise to develop and use
2. Security Regressions: Attackers need fewer 0-days to maintain the same capability

Are 0-days Available on Android?

In 2022, the Android ecosystem faced challenges, with n-days acting as 0-days due to delays in patching vulnerabilities. Publicly known vulnerabilities were exploited by attackers as downstream manufacturers failed to release patches promptly. Effective coordination between upstream vendors and downstream manufacturers is crucial to prevent such scenarios and protect users. In November 2022, a bug was being used in-the-wild which was discovered by TAG, initially in October 2022, a fixed driver version was released, but the vulnerability wasn’t fixed not until April 2023 when it was later fixed by Android.

Browsers Are So 2021

There was a 42% decrease in detected in-the-wild 0-days targeting browsers in 2022. This reduction can be attributed to browsers’ efforts to enhance their defenses and attackers’ shift to 0-click exploits targeting non-browser components. Advancements in browser defenses, Chrome launched MiraclePtr, v8 Sandbox, and libc++ hardening. Safari launched Lockdown Mode while Firefox launched more fire-grained and sandboxing. This contribution has made browser exploitation more difficult and is an incentive for moving to other attack surfaces.

Déjà vulnerability: Complete Patching Remains a Key Opportunity

Alarmingly, 17 out of 41 in-the-wild 0-days in 2022 were variants of previously reported vulnerabilities, signaling a persistent challenge. Comprehensive patching plays a critical role in fixing all variations of a vulnerability, making it harder for attackers to exploit 0-days. The security industry must invest in addressing the root cause and conducting thorough analyses of potential exploit techniques to ensure complete and effective patches. A patch that is complete is considered to be correct and comprehensive as correct patch is one that fixes the bug with complete accuracy and preventing any further vulnerability exploitation.

No Copyrights in Exploits

A noteworthy observation is that a 0-day vulnerability is not finite; multiple researchers and attackers can independently discover and exploit the same vulnerability. The rise in bug collisions, where different entities find the same vulnerability, suggests that attackers are using fewer unique 0-days. Collaborative efforts between researchers and vendors are pivotal in fixing vulnerabilities and disrupting attackers’ exploit chains. Vendors are strongly advised to continue supporting researchers and investing in their bug bounty programs because it helps in fixing the same vulnerabilities likely being used against users.

What Now?

As we reflect on 2022, our key takeaway is that we are on the right path in the fight against 0-day exploits, but there are still numerous areas of opportunity. Timely and comprehensive patching, root cause analysis, sharing technical details, and leveraging vulnerability reports are crucial aspects that demand continuous investment and prioritization.

Final Thoughts: TAG’s New Exploits Team

Looking ahead to the second half of 2023, Google’s Threat Analysis Group is excited to introduce TAG Exploits, a consolidated team combining vulnerability analysis, detection, and threat tracking expertise. Our aim is to foster peer review and collaboration to bolster online security and make 0-day exploitation a formidable challenge for attackers.

FAQs

Q1: What are 0-click exploits?

0-click exploits are a type of attack that requires no user interaction to trigger, often targeting device components beyond browsers.

Q2: How do bug collisions benefit defense?

Bug collisions, where multiple entities find the same vulnerability, result in attackers using fewer unique 0-days, which contributes to a more secure environment.

Q3: How can the security industry improve comprehensive patching?

The security industry must invest in thorough root cause analysis, variant analysis, and exploit technique analysis to ensure patches are both correct and comprehensive.

Q4: What can users do to protect themselves from 0-day exploits?

Users should keep their software and devices up-to-date with the latest patches and security updates. Being cautious while clicking on suspicious links and avoiding untrustworthy websites can also mitigate risks.

Q5: How can I report potential 0-days to Google’s Threat Analysis Group?

If you discover or suspect a potential 0-day vulnerability, you can reach out to Google’s Threat Analysis Group at [email protected]. Your input can contribute to enhancing overall online security.

Reviewed by Ahmed Rufai, Yakubu Birma & Solomon Sharon