Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

Google Project Zero called 2021 a “record year for in-the-wild 0-days,” as 58 security vulnerabilities were detected and disclosed during the course of the year.

The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020.

“The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits,” Google Project Zero security researcher Maddie Stone said.

“Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” Stone added.

The tech giant’s in-house security team characterized the exploits as similar to previous and publicly known vulnerabilities, with only two of them markedly different in the technical sophistication and use of logic bugs to escape the sandbox.

Both of them relate to FORCEDENTRY, a zero-click iMessage exploit attributed to the Israeli surveillance ware company NSO Group. “The exploit was an impressive work of art,” Stone said.

The sandbox escape is “notable for using only logic bugs,” Google Project Zero researchers Ian Beer and Samuel Groß explained last month. “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.”

A platform-wise breakdown of these exploits shows that most of the in-the-wild 0-days originated from Chromium (14), followed by Windows (10), Android (7), WebKit/Safari (7), Microsoft Exchange Server (5), iOS/macOS (5), and Internet Explorer (4). Read more:

You can also read this: Google Sues Scammer for Running ‘Puppy Fraud Scheme’ Website

Leave a Reply

Your email address will not be published. Required fields are marked *