In 2021, the tech industry found and disclosed 58 zero-day exploits, the most ever recorded since 2014, Google Project Zero said in a new report.
The number represents a drastic increase from the previous maximum of 28 disclosed in 2015, however, it doesn’t mean that threat actors have started using zero-days more often, but rather that “the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days.”
“With this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn’t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” Google says. “When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.”
Out of 58 zero-days recorded in 2021, 39 bugs were memory corruption flaws, including use-after-free, out-of-bounds read and write, buffer overflow, and integer overflow issues.
According to Google, a total of 14 zero-day flaws were found in Chromium last year, affecting the V8 JavaScript engine (CVE-2021-21148, CVE-2021-30551, CVE-2021-30563, CVE-2021-30632, CVE-2021-37975, CVE-2021-38003), the Blink rendering engine (CVE-2021-21193, CVE-2021-21206), WebGL (CVE-2021-30554), IndexedDB (CVE-2021-30633), webaudio (CVE-2021-21166), Portals (CVE-2021-37973), Android Intents (CVE-2021-38000), Core (CVE-2021-37976).
Google’s report goes on to describe the vulnerabilities detected in products such as Microsoft Windows, Microsoft Exchange Server, macOS/iOS, Internet Explorer, Android and others.
“Through 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted over and over how governments were using commercial surveillance products against journalists, human rights defenders, and government officials. We saw many enterprises scrambling to remediate and protect themselves from the Exchange Server 0-days,” Google said. “While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.”