Google's Project Zero security team has published its annual report on 0-day exploits, covering the year 2021. It has also compared this information against its historical data, dating back to 2014. Its analysis has resulted in a bunch of interesting insights and questions in this domain.
For starters, Google Project Zero detected 58 0-day exploits in 2021, this is a record high since the team started tracking this metric in 2014. It is also important to note that only 25 0-day exploits were detected in 2020. That said, this does not necessarily mean that attackers have become more active and successful. Google says that attack patterns and surfaces have remained mostly static in 2021 - barring a couple of novel 0-days - so it believes that the record high figure is actually due to increased detection and disclosure.
Google praised Microsoft, Apple, Apache, and its own Chromium and Android teams for publicly disclosing vulnerabilities in security bulletins in their own products during 2021. It also noted that exploits were detected and disclosed in Qualcomm and ARM products too, but it's unfortunate that these were not detailed in the vendors' own advisories. Google Project Zero believes that there is likely a higher number of 0-day exploits, but the exact number is not known because many vendors do not disclose any discovered vulnerability.
As can be seen above, vendors detected and disclosed the most number of 0-days in their own products. Project Zero emphasizes that vendors have the most telemetry about their own products and as such, are most likely to cause an uptick in the chart if they publicly disclose information about discovered exploits too.
Google Project Zero did notice an odd trend, though. Almost all 0-day exploits used publicly known bug patterns, attack surfaces, and exploit mechanisms. This means that 0-day is not hard enough for attackers yet because if that was true, attackers would be gravitating more towards newer surfaces and attack patterns.
The most 0-day exploits were discovered in Chromium in 2021, accounting for 14 of the total. 13 out of these were memory corruption bugs. Seven were detected and disclosed in Apple's WebKit, it is interesting to know that only one 0-day exploit had ever been disclosed in this piece of software prior to 2021. Internet Explorer had four 0-days, which is consistent with historical trends. Google Project Zero says:
Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked even though Internet Explorer’s market share of web browser users continues to decrease.
So why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we’ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats.
10 0-days were disclosed for Windows, however, only 20% targeted Win32k in 2021, compared to 75% in 2019. Google explains that the reason for this is that exploits in 2019 were targeting older versions of Windows and since Microsoft has patched this area quite a bit in Windows 10, it's harder to use it as an attack surface as older versions of Windows reach end-of-support and a dwindling user base.
Finally, seven exploits targeted Android, five for Microsoft Exchange Server, four for iOS, and one for macOS.
Google has also raised a bunch of interesting questions based on its report. Among these are whether we have a lack of known 0-day exploits for some products because attacks against them aren't successful or because vendors don't disclose them publicly? Are we detecting the same bug patterns because we have become proficient in them? Only five of the 58 0-days have public exploit samples, how do we get access to more?
All of these questions and more are discussed in Google's detailed report here. Moving forward, the Project Zero team has suggested making exploit detection and disclosure a standard policy industry-wide, public sharing of exploit samples, and increased efforts to reduce memory corruption bugs, among other things.