The number of people in the world whose sole focus is digging into the guts of zero day vulnerabilities in software, figuring out where they lie, how to trigger them, and how to fix them, is pretty low. The work is painstaking and difficult and can be quite frustrating. Maddie Stone is part of the community of researchers whose days are filled with this work, and she’s concerned that software vendors aren’t doing enough to make it difficult for attackers to find and exploit zero days.
“We have a problem. We’re not making zero day hard in the first place. We don’t require all thes elite skills to exploit them either,” Stone, a security researcher on Google’s Project Zero team, said during a talk at the Enigma conference Tuesday.
In her research, Stone tracks zero days that are publicly known to have been used in the wild, which, in 2020, was 24 separate bugs. Google maintains a public spreadsheet of these vulnerabilities, but it is necessarily limited to bugs known to have been exploited. It obviously doesn’t include vulnerabilities that are still unknown to the defense community or those that have been detected in use but kept private. But the Google data set is likely the best public repository of information on exploited zero days, and a quick glance will reveal that many of the zero day flaws unearthed in 2020 were in browsers. Firefox, Chrome, and Internet Explorer make several appearances each, which comes as no surprise given the value to an attacker of a zero day exploit in a popular browser. Even with the significant investments that Mozilla, Microsoft, and Google have made in hardening their browsers, vulnerabilities still surface, and when they do, the vendors patch them and move on.
However, those patches are not always enough, which is what has Stone concerned. Of the 24 zero days Google tracked last year, six of them were variants of previously disclosed bugs. Those vulnerabilities were the result of incomplete or incorrect patches, giving attackers another shot.
“What I can take away from 2020 is incomplete patches are making it easier for attackers to exploit zero days. We’re allowing the reuse of lots of different vulnerabilities that we produce,” Stone said.
“We need correct and complete patches from our vendors.”
"The more I do this work, the more I’m convinced we’re detecting smaller and smaller numbers of zero days."
Incomplete patches have been a thing for as long as there have been vulnerabilities, and they still occur pretty regularly. When someone (hopefully a researcher) discovers that a patch for a given vulnerability is incomplete or incorrect, it generally just results in another quick patch release and life goes on. But when this happens with a zero day that has already been exploited, things get a little hairier. In those cases, at least one attacker--and possibly more--already knew where the vulnerability was and how to exploit it and may already have a target list at the ready. If the patch doesn’t completely address the problem, then attackers may be able to make a few small tweaks to their exploit code and go right on about their business.
This happened more than once in 2020, and one of the examples actually began in 2019 and stretched into the next year. That string of flaws began with CVE-2019-0880, a bug in the splwow64.exe component in Windows that Microsoft patched in July 2019. However, the patch was incomplete and another variant of the flaw emerged in June 2020, followed by two more variants several months later. A similar thing happened with a series of bugs in the Jscript engine in IE, and several bugs in the V8 engine in Chrome.
The issue of incomplete patches is a serious one, but there’s also concerns about the number of zero days that researchers are able to detect in the wild. No one believes that the 24 zero days Project Zero tracked last year were the only ones exploited in the wild, and Stone would like to close that gap.
“We know that not all zero days are detected. The more I do this work, the more I’m convinced we’re detecting smaller and smaller numbers of zero days being used in the wild,” she said. “Detection bias is an issue. But more pressing is that detection is a hard problem and attackers are still able to use the same techniques and methods.”