Google’s Project Zero security research team, on a mission to make zero-day exploits hard, has revealed that 2021 was a record-breaking year. In all, across multiple platforms, Project Zero detected and disclosed some 58 ‘in-the-wild’ zero-days. That’s record-breaker number one right there. But Project Zero’s Maddie Stone has also confirmed that the number of such zero-day exploits against Chromium, which is the power behind web browsers including Google Chrome, Microsoft Edge and Brave, was also record-breaking at 14.
Project Zero found the vast majority of the zero-days it uncovered to be using tried and tested methods. Only two really caught the teams attention from the technically impressive perspective and both were impacting Apple users. Not least as memory corruption vulnerabilities were not used. There’s a reason for mentioning that because a majority of the rest did. How many, do you ask? According to the Project Zero report that would be 67% or 39 of the 58 detected and disclosed in-the-wild exploits. “Memory corruption vulnerabilities have been the standard for attacking software for the last few decades,” Stone said, “and it’s still how attackers are having success.”
Chrome sees record number of zero-day exploits
So, how does this all break down if we look at the individual platforms coming under attack here? Well, let’s start with Chrome seeing as this is a Google report, shall we? That record-breaking zero-day number, 14, was comprised of 10 remote code execution vulnerabilities (nasty) and two sandbox escapes (also nasty) as well as the slightly less nasty single information leak and another enabling the opening of web pages in Android apps. All bar one of these, however, come back to being memory corruption vulnerabilities at their core.
The Microsoft Windows attack surface is evolving
Microsoft Windows was the only other platform that hit double figures in 2021, with 10 zero-days in the Project Zero report. Those 10 in-the-wild exploits targeted a total of seven different components, a shift from previous years. Take 2019, Stone revealed that 75% of Windows zero-days targeted Win32K which dropped to just 20% in 2021. Hardly a massive surprise as the Win32K attack surface has become less and less attractive as older Windows versions reach their end-of-life status.
iMessage zero-click, zero-day exploit makes researchers go wow
But it’s when we turn to Apple, specifically two of the five zero-day exploits confirmed, that things start to get interesting as I mentioned earlier. Indeed, Stone picked out just two exploits, impacting iOS and iMessage, that “stood out as being novel” from the field of 58. Stone went even further, describing these two exploits as being the only ones that made the Project Zero research team go ‘wow’ all year. The iMessage zero-click exploit was not only amongst the first to actually deliver on that particular epithet, but it was also “an impressive work of art” according to Stone. Reportedly described by Project Zero researchers Ian Beer & Samuel Groß as one of the “most technically sophisticated exploits” they had ever seen, it was used in the now infamous NSO Pegasus spyware scandal.
The second, as yet still to be assigned a CVE number, vulnerability to grab researcher attention was an iOS sandbox escape. The reason being that this one didn’t go down that usual memory corruption route but instead solely used logic flaws.
What about the missing messaging platform?
The Project Zero researchers were also keen to point to major apps that were, perhaps surprisingly, missing from the list: Signal, Telegram and WhatsApp in particular. While messaging apps are, the report confirmed, “targets of interest to attackers” only iMessage had that zero-day in 2021. Or, rather, only iMessage had a zero-day that the team found. This isn’t all that surprising historically, a period of just seven years since Project Zero started their tracking, as before iMessage in 2021 only one other messaging zero-day, WhatsApp in 2019, has surfaced. Which doesn’t mean they don’t exist, as the analysis confirms when asking whether they are absent through lack of detection or lack of disclosure? More broadly, what the Project Zero report also doesn’t mean is that security is somehow failing; quite the opposite. Through transparent vulnerability reporting, including when a patched flaw is already being exploited in the wild, security continues to improve. Detecting, disclosing and sharing this kind of information is a good thing and it is a means to a more secure end for us all.
Find out more about the 2021 zero-day exploit threatscape
Visit the Project Zero blog for links to the various zero-day exploits across all platforms and products mentioned here, and also Android, Microsoft Exchange Server and WebKit (Safari) as including them all here would have resulted in link overload!
I’d also recommend reading the latest zero-day analysis for last year which has now been published by Mandiant Threat Intelligence. This confirms that these serious security threats are on the up, with more than twice the previous record-breaking volume identified in 2019. It also has some interesting geo-political insight into attribution with “suspected Chinese cyber espionage groups” leading the way.