The number of zero days detected in the wild dropped significantly in 2022, down 40 percent from the previous year, but researchers who track zero day exploit activity closely warn that’s not necessarily an entirely positive sign.
Last year, researchers detected 41 zero day vulnerabilities being used in the wild, down from 69 in 2021, which was the most since Google began tracking them in 2015. Most years, the number hovers somewhere in the low twenties, so 41 is still a significant number of zero days to find in the wild. And just because the number goes down from one year to the next doesn’t mean that product security is getting better or that defenders are getting better at detecting the use of zero days.
Maddie Stone of Google’s Threat Analysis Group, who heads the company’s efforts to detect and analyze the use of zero days, said the picture is quite complex and includes the behavior of both attackers and defenders as well as the work of security researchers. Detecting the use of zero days in the wild gives defenders some more information with which to make decisions, but it is not a singular determining factor.
“The number of 0-days detected and disclosed in-the-wild can’t tell us much about the state of security. Instead we use it as one indicator of many. For 2022, we believe that a combination of security improvements and regressions influenced the approximately 40% drop in the number of detected and disclosed 0-days from 2021 to 2022 and the continued higher than average number of 0-days that we saw in 2022,” Stone said.
“Both positive and negative changes can influence the number of in-the-wild 0-days to both rise and fall. We therefore can’t use this number alone to signify whether or not we’re progressing in the fight to keep users safe. Instead we use the number to analyze what factors could have contributed to it and then review whether or not those factors are areas of success or places that need to be addressed.”
Some of the bigger factors that could cause a decrease in the number of zero days being detected in the wild are that fewer zero days exist, exploiting the ones that do exist requires more effort and new techniques, and that attackers don’t necessarily need to use zero days to be successful. One clear example of the latter factor is the Android ecosystem, which includes the Android operating system as well as many, many device manufacturers and other software suppliers. Oftentimes, Google or another upstream supplier will release a fix for a bug, but the device manufacturers don’t incorporate it into their own Android releases right away, leaving an opening for attackers to exploit a publicly known vulnerability.
“When a 0-day is caught in the wild it’s a gift. Attackers don’t want us to know what vulnerabilities they have."
“These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device. While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android,” Stone said.
“This is a great case for attackers. Attackers can use the known n-day bug, but have it operationally function as a 0-day since it will work on all affected devices.”
Concurrent with the overall drop in zero days detected in the wild, the number of browser zero days detected in 2022 declined by 42 percent. This is likely a result of browser manufacturers implementing more exploit mitigations, as well as of attackers focusing their attention on other areas. Stone pointed out that in 2022 more attackers were using zero-click exploits, which don’t require any user interaction and usually target components other than the browser, such as iMessage.
One clear area of opportunity for software makers and tech providers is to reduce the ability of attackers to exploit variants of previously disclosed vulnerabilities. Nearly half of the zero days detected in the wild in 2022 were variants of other bugs. This is consistent with previous years, and sometimes those variants are even based on other zero days that were caught in the wild.
“When a 0-day is caught in the wild it’s a gift. Attackers don’t want us to know what vulnerabilities they have and the exploit techniques they’re using. Defenders need to take as much advantage as we can from this gift and make it as hard as possible for attackers to come back with another 0-day exploit,” Stone said.