Google Claims Half of all Zero-Day Bugs Are Due to Poor Patches
Google Project Zero noted a total of 18 zero-day bugs this year, so far.
Researchers at Google Project Zero noted that half of the zero-day bugs found in H1 2022 – that were exploited before a patch was publicly available – can be avoided if concerned software vendors made better testing of their patches.
Also, there have been four zero-day bugs spotted that were just the variants of previously released patches – produced by hackers. Some of the 18 zero-day bugs they noted today were from Google’s own Chrome and Pixel software too.
Zero-Day Bugs in 2022
Zero-Day bugs are something that is spotted for the first time – in software applications – that even the concerned software vendors haven’t noted yet. Hackers often look for zero-days to exploit, as these may take a longer time to be patched.
While the vendors too rush for making patches available as soon as they can, they often fail to understand the root cause of the problem and release patches without testing them properly.
This was said by researchers at Google Project Zero, where they listed 18 ‘zero-day’ bugs from the first six months of this year – that was exploited before a patch was publicly available. They said that half of these bugs can be avoided if the concerned software vendors have created proper patches, or tested them thoroughly before releasing them to the public.
They noted bugs from Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Atlassian’s Confluence server. Also, there were four truly unique zero-day bugs that attackers exploited, which are mere tweaks of already released patches.
Here are all the zero-day bugs the Google Project Zero team noted this year; this year up to June 15.
|Product||2022 ITW 0-day||Variant|
|Windows win32k||CVE-2022-21882||CVE-2021-1732 (2021 itw)|
|iOS IOMobileFrameBuffer||CVE-2022-22587||CVE-2021-30983 (2021 itw)|
|Windows||CVE-2022-30190 (“Follina”)||CVE-2021-40444 (2021 itw)|
|Chromium property access interceptors||CVE-2022-1096||CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix)|
|WebKit||CVE-2022-22620 (“Zombie”)||Bug was originally fixed in 2013, patch was regressed in 2016|
|Google Pixel||CVE-2021-39793** While this CVE says 2021, the bug was patched and disclosed in 2022||Linux same bug in a different subsystem|
|Windows||CVE-2022-26925 (“PetitPotam”)||CVE-2021-36942 (Patch regressed)|
Suggest an edit to this article
Go to Cybersecurity Knowledge Base
Got to the Latest Cybersecurity News
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- PHP vs Ruby vs Python vs Go: Comparing Popular Programming Languages for Web Development - 31 March 2023
- Voice ID: How Secure is it Really? - 2 March 2023
- Enterprise users infected by RIG Exploit Kit thanks to Internet Explorer - 27 February 2023