Friday, March 29, 2024

Google Claims Half of all Zero-Day Bugs Are Due to Poor Patches

Google Project Zero noted a total of 18 zero-day bugs this year, so far.

Researchers at Google Project Zero noted that half of the zero-day bugs found in H1 2022 – that were exploited before a patch was publicly available – can be avoided if concerned software vendors made better testing of their patches.

Also, there have been four zero-day bugs spotted that were just the variants of previously released patches – produced by hackers. Some of the 18 zero-day bugs they noted today were from Google’s own Chrome and Pixel software too.

Zero-Day Bugs in 2022

Zero-Day bugs are something that is spotted for the first time – in software applications – that even the concerned software vendors haven’t noted yet. Hackers often look for zero-days to exploit, as these may take a longer time to be patched.

While the vendors too rush for making patches available as soon as they can, they often fail to understand the root cause of the problem and release patches without testing them properly.

This was said by researchers at Google Project Zero, where they listed 18 ‘zero-day’ bugs from the first six months of this year – that was exploited before a patch was publicly available. They said that half of these bugs can be avoided if the concerned software vendors have created proper patches, or tested them thoroughly before releasing them to the public.

They noted bugs from Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Atlassian’s Confluence server. Also, there were four truly unique zero-day bugs that attackers exploited, which are mere tweaks of already released patches.

Recommended:  Zero-day Abused by Cybercriminals to Steal Crypto from Bitcoin ATMs

Here are all the zero-day bugs the Google Project Zero team noted this year; this year up to June 15.

Product2022 ITW 0-dayVariant
Windows win32kCVE-2022-21882CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBufferCVE-2022-22587CVE-2021-30983 (2021 itw)
WindowsCVE-2022-30190 (“Follina”)CVE-2021-40444 (2021 itw)
Chromium property access interceptorsCVE-2022-1096CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix)
Chromium v8CVE-2022-1364CVE-2021-21195
WebKitCVE-2022-22620 (“Zombie”)Bug was originally fixed in 2013, patch was regressed in 2016
Google PixelCVE-2021-39793** While this CVE says 2021, the bug was patched and disclosed in 2022Linux same bug in a different subsystem
Atlassian ConfluenceCVE-2022-26134CVE-2021-26084
WindowsCVE-2022-26925 (“PetitPotam”)CVE-2021-36942 (Patch regressed)

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark
ClosePlease login
Just your average information security researcher from Delaware US.
User Avatar
Latest posts by RiSec.Mitch (see all)
Recommended:  More than 250 US news sites inject malware in possible supply chain attack
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
RiSec.Mitch
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates

explore

more

security