Google’s Project Zero security team has an impressive track record when it comes to chasing down and addressing the most critical security flaws found. They’re tireless in their work, which has saved untold billions of dollars and hampered the efforts of hackers all over the world.
The team has gathered some rather shocking statistics, however, including this eye-opener:
Based on their research, fully one fourth of the Zero-day exploits being discovered in use in the wild could have been avoided entirely if vendors and IT admins had properly patched their products.
Over the course of 2020, the team detected a total of 24 zero-day exploits. Six of these were variations on a theme; vulnerabilities disclosed in prior years, where hackers had access to older bug reports and had plenty of time to study older issues, making a few simple tweaks and winding up with a brand new zero-day exploit.
For instance, CVE-2020-0674, which is a Zero-Day Internet Explorer flaw is a variant that combines elements of CVE-2018-8653, CVE-2019-1367, and CVE-20191429.
In a similar vein, the devastating Google Chrome flaw tracked as CVE-2020-6572 is a variant that combines elements of CVE-2019-5870 and CVE-2019-13695. The Apple Safari zero-day issue tracked as CVE-2020-27930 is virtually identical to the one discovered back in 2015 and tracked as CVE-2015-0093.
On the one hand, this news is rather depressing as it seems that many in the IT security profession seem to be making things harder on themselves than they need to be. On the other hand, as Maddie Stone, a member of the Project Zero team observed, these kinds of insights are the exact reason the team was formed to begin with.
By studiously identifying and shutting down the most glaring and serious flaws and gathering statistics and data on them, the hope is to make them increasingly harder for hackers around the world to take advantage of in years to come. So far, that approach seems to be working. Kudos to Google and the Zero Day team.