Google’s security-focused Project Zero first started keeping records of exploited zero-day vulnerabilities in popular software in 2014. Since then, no other year has seen as many open exploits as 2021, the tech company announced this week.
Named for vulnerabilities discovered by hacking into software before it was released, zero-days are undetected bugs that have gone uncorrected by the companies that make the software. The openings in the programs can allow hackers to conduct sophisticated attacks.
“2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking” said Google researcher Maddie Stone, in a blog post published Tuesday.
The number is more than double the previously recorded zero-day record of 28 discovered in 2015, Stone said.
The zero days they found aren’t necessarily getting cleverer. A vast majority of the exploits tracked by Google in 2021 weren’t particularly novel, seeming to use the “same bug patterns and exploitation techniques and going after the same attack surfaces” that hackers have always targeted, writes Stone.
Some of last year’s biggest targets included Apple’s iOS and MacOS, Microsoft Windows and Exchange, and Google itself, which recorded a record 14 zero-days in its browser Chrome (up from seven in 2020). Google’s Android, meanwhile, saw seven zero-days.
The question is: why are there so many new bugs being discovered? Is it because software security is getting lazier? Are hackers getting better at hacking? Google researchers seem to feel that it’s actually because the security industry is getting better at finding and sharing information about its issues.
“While we believe there has been a steady growth in interest and investment in zero-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry’s ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.”
In general, companies seem to be getting better at disclosing their security issues to the public. That said, “there is still plenty more work to do,” Stone writes, noting that one of Google’s goals is to see zero-day disclosures become an industry-wide norm.
You can check out Google’s full record of tracked zero-days in this continually updated spreadsheet. As you can see, 2022 is already off to a banner start for bugs, with over a dozen zero-day vulnerabilities discovered in the first four months of this year.