25% of all 2020 Zero-Days Would Preventable with Proper Patching, Says Google
Google recently released a finding that claims that a quarter of all zero-day vulnerabilities discovered being exploited in the wild in 2020 would have been avoided if vendors had patched their products correctly. Through its Project Zero security, Google has said that it detected 24 zero-days exploited by attackers in 2020; six of these were variations of vulnerabilities disclosed in previous years. This allowed hackers access to older bug reports that they could then study from and deploy a new exploit version.
Project Zero day said in a blog post: “Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit.” This included zero-days in Chrome, Firefox, Internet Explorer, Safari, and Windows; three other zero-days discovered and patched in 2020 could have been exploited in a similar fashion.
Maddie Stone, a member of the Project Zero team, said that this situation could have been avoided if vendors had investigated the root cause of the bugs in greater depth and invested more into the patching process. Stone argued that zero-days provide a window into an attacker’s mind that defenders should take advantage of and try to learn about the entry vectors an attacker is trying to exploit, determine the vulnerability class, and then deploy comprehensive mitigations. Stone also urged other security experts to take advantage of when a zero-day vulnerability is exposed and analyze it in greater depth.