Google: 0-Day vulnerabilities down in 2022, but still higher than average
Google published a summary of 0-day exploits in the wild in 2022 on the company's official Google Security Blog this week. It is the fourth report of its kind and Google uses it to highlight trends and also progress made regarding 0-day exploits.
The analysis looks at Google's ecosystem, Android and Chrome mainly, for the most part, but it does provide information about other web browsers and operating systems as well.
Maddie Stone, a security researcher at the Threat Analysis Group, writes that Google detected 41 0-day in the wild exploits in 2022. The year 2021 saw an all-time high of 69 0-day exploits in the wild. The 2022 number is still in second place with its 41 different 0-day exploits.
0-day exploits were down on all monitored platforms, except for Apple's macOS platform, which saw a 100% increase from a single 0-day exploit in 2021 to two in 2022. Windows is still the platform with the largest number of 0-day exploits according to Google's report, followed by iOS and Android.
As far as web browser's are concerned, 0-day exploits are down here as well as exploits dropped from 26 to 15. Chrome was affected by the bulk of issues, followed by WebKit and Firefox.
Google observed several shifts in attack patterns and also notable key takeaways when comparing the exploits of 2022 with those of 2021:
- Android patching is still a major issue, as it can turn 0-day exploits into n-day exploits due to missing patches.
- Browser 0-days were down thanks to new browser mitigations and also a shift to 0-click exploit attacks.
- More than 40% of the 0-days discovered in 2022 were variants of already reported vulnerabilities.
Google's key takeaways for 2023 and beyond attempts to address these changing patterns. The company notes that the industry must "get fixes and mitigations to users quickly", make sure that the root cause of a vulnerability is addressed to prevent variants from exploiting i as well, share "as many technical details as possible", and "capitalize on reported vulnerabilities to lean and fix as much as we can from them".
Users interested in additional details on Google's report and strategy going forward can check out the full post the Google Security Blog.
That link takes me to the site, but it’s a blank page except for the title: Google Security Blog. Presumably I’d have to undo all my privacy settings to reveal the actual data which I’m not going to do.
@TelV
Either that or your blocking is overzealous, I would speculate on the latter.
I can read it in Brave, 5 elements blocked on that page.
@Iron – try blocking Google’s javascript, which is stuffed to the brim with trackers.
Yes, it’s no surprise that Google requires us to lower our tracker blocking shields in order to just read simple text on their web pages now. They never want to waste a single opportunity to collect data for their advertising income and to feed to their AI projects.
Google vowing to defeat zero-day exploits reminds me of OJ Simpson vowing to find his wife’s real killer.
Google literally sells advertising space for malware at the top of its search results and allows malware that is downloaded millions of times onto its Android Play Store and its Chrome Web Store. As covered right here multiple times on Ghacks.
And Google’s programming errors in Chrome/chromium are a big contributor to the increase in zero-days in 2022-2023.
@Andy Prough
> Google vowing to defeat zero-day exploits reminds me of OJ Simpson vowing to find his wife’s real killer.
And your comments remind me of a longtime Firefox promoter who doesn’t know what he is talking about and posts the same crap every single time.
> Google literally sells advertising space for malware at the top of its search results and allows malware that is downloaded millions of times onto its Android Play Store and its Chrome Web Store. As covered right here multiple times on Ghacks.
Has this anything, literally anything, to do with the security with Chromium the browser code base. If you think that one follows from the other, or that the same people are responsible for everything, you are simply not very intelligent or just trolling. Likely both.
Google also employs Project Zero, the security researchers who have found a good portion of high profile security issues over the last few years. At Google itself, and of course ELSEWHERE too. Do they also not know what they are doing?
@copper arms
> outpacing Flash’s last few years by orders of magnitude – not just the new Flash but the new improved Flash
Yeah because a code base as sizable as an operating system is comparable to f*cking Adobe Flash, lmao.
With increased use and and increased number of attacks, nominally more security issues will be discovered. It comes with the territory. This, I have said a hundred times and more here. If there was something better out there, it would be used instead of Chromium. But there isn’t, not anytime soon.
> if anyone cared about security they wouldn’t be using chromium
And would instead use…? Firefox with no proper site isolation and leaky sandboxing that is 5 years+ behind Chromium in terms of security?
LOL. Sure.
Thankfully none of you guys is in charge of security at any sizable organization.
@Iron Heart >”… Fire*** …”
It’s interesting that the only commenter who brings up that browser name is you. It shows up 5 times in comments on this article, all attributed to you. No one else had any attention on it.
@Andy Proough
> Google vowing to defeat zero-day exploits reminds me of OJ Simpson vowing to find his wife’s real killer.
The irony is spot on.
Google has been deeply conceived conspiracy, and is the farce play of “pretending to be doing” an Oscars candidate?
The existence of Google is undoubtedly the cause of the chaos in the world.
Above all, the fundamental culprit is the existence of Google itself, which makes “Advertising” the basis of its business.
Since Google’s underlying motive is to take control of all advertising businesses around the world, “a safe and comfortable web environment” is nothing more than a pretext.
Simply put, because Google’s true mission is to “connect the advertising business to Google as much as possible”.
On the opposite, browser users are nothing more than hunting targets (mere prey).
Google is the epitome of greedy capitalism.
outpacing Flash’s last few years by orders of magnitude – not just the new Flash but the new improved Flash
https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708
if anyone cared about security they wouldn’t be using chromium
Such a good browser! Oh, wait, it’s Chrome! Hilarious comments in three, two, one…
Of course there will be the usual unintelligent comments, Firefox users know they have 3% market share left and need to promote the hell out of their failing project right now. It’s always the same bullshit, the nominal number of security issues is supposed to be “proof” of Chromium’s alleged lack of security. That with increased usage, comes an increased number of attacks, is purposefully not on the radar and is not being discussed at all. I wonder why! Neither is the sheer complexity of the codebase discussed at all, laughable and misguided comparisons with things like Adobe Flash prove this outright.
Security researchers in the field don’t exactly praise the security of Firefox. Most say that it is a good few years behind Chromium, and lacks several key exploit mitigations that Chromium had 5 years ago already. It’s also irrelevant and hardly used, this directly leads to less scrutiny, and nominally fewer hacks. Does that show that the code base is secure? No, but this type of easily debunked non-sequitur and sheer stupidity is being sold here on gHacks under every single article related to Chromium. This shows the downfall of this blog’s comment section and not much else.
There is a reason why nobody wants to fork FF or work with the messy codebase of Firefox in general. It’s not because it is the most modern and secure codebase out there. It’s because it is a broken mess that is behind the times.