Google: 0-Day vulnerabilities down in 2022, but still higher than average
Google published a summary of 0-day exploits in the wild in 2022 on the company's official Google Security Blog this week. It is the fourth report of its kind and Google uses it to highlight trends and also progress made regarding 0-day exploits.
The analysis looks at Google's ecosystem, Android and Chrome mainly, for the most part, but it does provide information about other web browsers and operating systems as well.
Maddie Stone, a security researcher at the Threat Analysis Group, writes that Google detected 41 0-day in the wild exploits in 2022. The year 2021 saw an all-time high of 69 0-day exploits in the wild. The 2022 number is still in second place with its 41 different 0-day exploits.
0-day exploits were down on all monitored platforms, except for Apple's macOS platform, which saw a 100% increase from a single 0-day exploit in 2021 to two in 2022. Windows is still the platform with the largest number of 0-day exploits according to Google's report, followed by iOS and Android.
As far as web browser's are concerned, 0-day exploits are down here as well as exploits dropped from 26 to 15. Chrome was affected by the bulk of issues, followed by WebKit and Firefox.
Google observed several shifts in attack patterns and also notable key takeaways when comparing the exploits of 2022 with those of 2021:
- Android patching is still a major issue, as it can turn 0-day exploits into n-day exploits due to missing patches.
- Browser 0-days were down thanks to new browser mitigations and also a shift to 0-click exploit attacks.
- More than 40% of the 0-days discovered in 2022 were variants of already reported vulnerabilities.
Google's key takeaways for 2023 and beyond attempts to address these changing patterns. The company notes that the industry must "get fixes and mitigations to users quickly", make sure that the root cause of a vulnerability is addressed to prevent variants from exploiting i as well, share "as many technical details as possible", and "capitalize on reported vulnerabilities to lean and fix as much as we can from them".
Users interested in additional details on Google's report and strategy going forward can check out the full post the Google Security Blog.Advertisement