Quick fixes for zero-day vulnerabilities are giving rise to fresh issues for security teams, a new Google report suggests.
According to cybersecurity researchers at Google Project Zero, half of the 18 zero-days found in major software this year could have been prevented had developers done a better job at patching (opens in new tab) the original flaw.
What’s more, four of the zero-days discovered this year are spin-offs of bugs originally identified in 2021.
Browsers are a major target
“At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests,” said Maddie Stone, one of the researchers.
“On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.”
In total, there were more zero-days discovered in 2021 than in the past five years. But while sloppiness may be a contributing factor, it’s not the only cause of this rise, it was said.
There’s also the fact that, since the demise of the Flash player, cybercrooks have turned their attention towards browsers as their next biggest target. There’s also the fact that browsers have become so big that their code volume rivals that of certain operating systems.
To top it off, researchers have probably gotten better at detecting zero-days being exploited on endpoints (opens in new tab) in the wild than they were five years ago.
Google itself has patched four zero-day vulnerabilities in its Chrome browser, this year alone.