Six months into 2022, researchers have detected 18 zero days that have been exploited in the wild, but half of those bugs are variants of vulnerabilities that were patched previously, some as long ago as 2013.
Security researcher Maddie Stone, part of Google’s Project Zero team, tracks zero days that are exploited in the wild and performs root cause analyses to figure out the underlying cause of each bug. In 2021, there were 59 zero days detected as exploited in the wild, more than double the 25 that were discovered in 2021. The pace so far this year is much slower, but there could have been even fewer exploited in the wild had the fixes for previous flaws been more comprehensive and tested more extensively. Several of the zero days detected this year are variants of other bugs that were exploited as zero days in 2021, while others are the result of incomplete patches or regressions.
“Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path,” Stone wrote in a post analyzing the data compiled so far this year.
“And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again.”
In some cases, when a vulnerability is disclosed–especially if it’s being exploited in the wild–the affected vendor is under pressure and time constraints to produce a fix. That pressure may lead to shorter testing times and/or an incomplete fix, which can produce the conditions Stone described. If the root cause of a vulnerability is not addressed, clever, patient attackers may be able to find a new way to trigger the same bug. Even large vendors with well-resourced security and QA teams can run into this issue, as the Chrome, Windows, and iOS variants exploited this year show.
In one recent example, Apple patched a vulnerability in WebKit in February that had been exploited in the wild. The bug was actually originally discovered and patched in 2013, but it was reintroduced in 2016 during a code refactoring effort and then exploited by attackers as a zero day in 2022.
“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders.”
“Usually when we talk about variants, they exist due to incomplete patches: the vendor doesn’t correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We don’t know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022,” Stone wrote in an analysis of the WebKit bug and its reemergence.
One of the oddities involved in tracking zero days exploited in the wild is that detecting more of them isn’t necessarily a bad sign, just as detecting fewer isn’t necessarily a good sign. Detection and identification of a zero day exploit relies on a number of factors, and while defenders and security researchers are getting better at doing so all the time, attackers also are improving their own skills and ability to find vulnerabilities and disguise their activities when they exploit them. It’s a constant back-and-forth, but when a zero day is detected and becomes public, it’s a key opportunity for researchers to dig into the methods their adversaries are using.
“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes,” Stone said.
To help avoid future cases in which variants of fixed vulnerabilities emerge, Stone encouraged researchers and vendors to share root cause analyses whenever possible and analyze patches as well as exploits in order to fully understand adversary tactics.