Photo: Cezary Kowalski/SOPA Images/LightRocket (Getty Images)
Google’s security-focused zero-day project first began documenting exploited zero-day vulnerabilities in popular software in 2014. The tech company announced this week that there has been no other year since 2021 to publicly exploit vulnerabilities.
Zero-day vulnerabilities are undiscovered bugs in software that can allow hackers to carry out sophisticated attacks on programs and platforms.
“2021 includes detection and disclosure of 58 wild zero days, the most recorded since Project Zero began tracking,” Google researcher Maddie Stone said in a blog post on Tuesday.
That number is more than double the 28 zero-day records found in 2015, Stone said.
The zero-days they found don’t necessarily make them smarter. The vast majority of exploits Google is tracking in 2021 are not particularly new, Stone wrote, appearing to use “the same bug patterns and exploit techniques, and targeting the same attack surface” that hackers have been targeting.
Some of the biggest targets last year included Apple’s iOS and MacOS, Microsoft’s Windows and Exchange, and Google itself, which recorded 14 zero-day vulnerabilities in its browser Chrome (up from seven in 2020). At the same time, Google’s Android had seven zero-day vulnerabilities.
The question is: why are so many new bugs discovered? Is it because software security is getting lazy? Are Hackers Getting Better at Hacking? Google researchers seem to think this is actually because the security industry is getting better at finding and sharing information about its problems.
“While we believe that attacker interest and investment in zero-day attacks has been steadily growing over the past few years, and that security still needs to improve urgently, the security industry detecting and disclosing-wild 0-day attacks is the first to observe in 2021. The main explanation for the increase in 0-day attacks.”
In general, companies seem to be getting better at disclosing their security concerns to the public. That said, “there’s a lot of work to be done,” Stone wrote, noting that one of Google’s goals is to make zero-day disclosure an industry-wide norm.
You can view Google’s full tracking zero-day record in this constantly updated spreadsheet. As you can see, 2022 has already started to emerge, with over a dozen zero-days discovered in the first four months of the year.
