Google Claims That Half of Zero-Day Bugs Are Due to Poor Patches

Researchers at Google Project Zero noted that half of the zero-day bugs found in H1 2022 – that were exploited before a patch was publicly available – can be avoided if concerned software vendors made better testing of their patches.

Also, there have been four zero-day bugs spotted that were just the variants of previously released patches – produced by hackers. Some of the 18 zero-day bugs they noted today were from Google’s own Chrome and Pixel software too.

Zero-Day Bugs in 2022

Zero-Day bugs are something that is spotted for the first time – in software applications – that even the concerned software vendors haven’t noted yet. Hackers often look for zero-days to exploit, as these may take a longer time to be patched.

While the vendors too rush for making patches available as soon as they can, they often fail to understand the root cause of the problem and release patches without testing them properly.

This was said by researchers at Google Project Zero, where they listed 18 ‘zero-day’ bugs from the first six months of this year – that was exploited before a patch was publicly available. They said that half of these bugs can be avoided if the concerned software vendors have created proper patches, or tested them thoroughly before releasing them to the public.

They noted bugs from Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Atlassian’s Confluence server. Also, there were four truly unique zero-day bugs that attackers exploited, which are mere tweaks of already released patches.

Here are all the zero-day bugs the Google Project Zero team noted this year;

 this year up to June 15.

Product 2022 ITW 0-day Variant
Windows win32k CVE-2022-21882 CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBuffer CVE-2022-22587 CVE-2021-30983 (2021 itw)
Windows CVE-2022-30190 (“Follina”) CVE-2021-40444 (2021 itw)
Chromium property access interceptors CVE-2022-1096 CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix)
Chromium v8 CVE-2022-1364 CVE-2021-21195
WebKit CVE-2022-22620 (“Zombie”) Bug was originally fixed in 2013, patch was regressed in 2016
Google Pixel CVE-2021-39793*

* While this CVE says 2021, the bug was patched and disclosed in 2022

Linux same bug in a different subsystem
Atlassian Confluence CVE-2022-26134 CVE-2021-26084
Windows CVE-2022-26925 (“PetitPotam”) CVE-2021-36942 (Patch regressed)

LEAVE A REPLY

Please enter your comment!
Please enter your name here