Research by Google Project Zero uncovers that half of the total zero-day vulnerabilities discovered until June 2022 are closely related to existing ones. Additionally, it reveals an unsettling fact: developers are underinvesting in vulnerability management, a process that requires greater commitment, right prioritization, and rigorous planning.
Research by Google Project Zero revealed that half of the zero-day vulnerabilities discovered so far in 2022 could have been prevented with attention to details on previous vulnerabilities. Security researcher Maddie Stone said that half of the 18 vulnerabilities assessed until mid-June 2022 were a variant of an existing vulnerability.
Moreover, there are patches available for the previously identified vulnerabilities. This indicates that even if patches may have protected susceptible systems, the developers didn’t properly address the problem’s root cause. Weak vulnerability management is letting older reported zero-day bugs to reappear as new problems.
â€œAt least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests,â€ Stone wrote. The lack of thorough vulnerability management procedures has thus led to the number of vulnerability offshoots in just H1 2022, eclipsing those in 2021 (one) and 2019 (two).
â€œMany of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched,â€ Stone added. â€œIn the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path.â€
The Chromium property access interceptor vulnerability tracked CVE-2022-1096 is one of the more serious flaws this year, considering the number of impacted instances was more than 3 billion.
â€œAnd in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again,â€ Stone explained.
The Follina vulnerability (CVE-2022-30190) is the most recent zero-day vulnerability to be discovered. At the time of its discovery, late in May 2022, Follina, which resides in Windows and Windows Server, was already being exploited by Chinese hackers using malicious Microsoft Word documents.
Most of the nine zero-day vulnerabilities derived from previous ones exist in operating systems (Windows, Android, iOS) and web browsers. Only CVE-2022-26134 is the exception in Atlassian Confluence Data Center and Servers.
The total zero-day vulnerability detection rate in 2022 has been relatively slow compared to 2021, where 58 zero-day flaws were detected. But 2021 was also exceptionally threatening because of greater cybercriminal activity on all fronts, a direct consequence of the COVID-19-induced increase in attack surface.
Zero-Day Vulnerabilities Detected by Year, Data for 2022 Until June 15
Stone suggested that developers undertake initiatives for greater detection by investing in root cause analysis, variant analysis, patch analysis, etc. â€œWhen 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again,â€ Stone said.
â€œThe goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.â€