Researchers at Google Project Zero noted that half of the zero-day bugs found in H1 2022 – that were exploited before a patch was publicly available – can be avoided if concerned software vendors made better testing of their patches.
Also, there have been four zero-day bugs spotted that were just the variants of previously released patches – produced by hackers. Some of the 18 zero-day bugs they noted today were from Google’s own Chrome and Pixel software too.
Zero-Day Bugs in 2022
Zero-Day bugs are something that is spotted for the first time – in software applications – that even the concerned software vendors haven’t noted yet. Hackers often look for zero-days to exploit, as these may take a longer time to be patched.
While the vendors too rush for making patches available as soon as they can, they often fail to understand the root cause of the problem and release patches without testing them properly.
This was said by researchers at Google Project Zero, where they listed 18 ‘zero-day’ bugs from the first six months of this year – that was exploited before a patch was publicly available. They said that half of these bugs can be avoided if the concerned software vendors have created proper patches, or tested them thoroughly before releasing them to the public.
They noted bugs from Microsoft Windows, Apple iOS and WebKit, Google’s Chromium and Pixel, and Atlassian’s Confluence server. Also, there were four truly unique zero-day bugs that attackers exploited, which are mere tweaks of already released patches.
Here are all the zero-day bugs the Google Project Zero team noted this year;
this year up to June 15.
|Product||2022 ITW 0-day||Variant|
|Windows win32k||CVE-2022-21882||CVE-2021-1732 (2021 itw)|
|iOS IOMobileFrameBuffer||CVE-2022-22587||CVE-2021-30983 (2021 itw)|
|Windows||CVE-2022-30190 (“Follina”)||CVE-2021-40444 (2021 itw)|
|Chromium property access interceptors||CVE-2022-1096||CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix)|
|WebKit||CVE-2022-22620 (“Zombie”)||Bug was originally fixed in 2013, patch was regressed in 2016|
* While this CVE says 2021, the bug was patched and disclosed in 2022
|Linux same bug in a different subsystem|
|Windows||CVE-2022-26925 (“PetitPotam”)||CVE-2021-36942 (Patch regressed)|