Zero-Day Vulnerabilities Are on the Rise

Both Google and Mandiant are reporting a significant increase in the number of zero-day vulnerabilities reported in 2021.

Google:

2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014.

While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.

Mandiant:

In 2021, Mandiant Threat Intelligence identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors­ — particularly ransomware groups — ­deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors. The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.

News article.

Posted on April 27, 2022 at 1:40 PM32 Comments

Comments

tim April 27, 2022 2:26 PM

Are they really on the rise or are we just improving are ability to detect them as they were first exploited?

@John

Secure Computer – an oxymoron.

Get off your lawn?

John April 27, 2022 3:26 PM

@tim,

My take is the source language is hard to be careful with and the problem areas are buried deep in libraries and their linkages. Having ‘linear C’ as an visible intermediate would help.

Ada verses C for example. Even assembly would be better.

John

Clive Robinson April 27, 2022 5:49 PM

@ Bruce, ALL,

The rise could be explained by the thesis of,

“Supply and Demand”

If Demand goes up then the price goes up or the supply goes up, or more often these days both.

The real question is not the number of Zero-Days but the number of underlying vulnerabilities.

There was that old metric that appeared to hold across all programing languages that about every fifth line of code had some kind of undesirable side effect or bug.

Back then it was used as an argument to chase ever higher levels of software abstraction.

Later the “realy incorrect” assumption that “library code is good code” alowed the likes of C++ and other unsafe languages to prosper…

Due to alledged “code reuse” quite a big chunk of development code is “glue logic” sticking “library code” together…

The big problems with “library code” are the issues of,

1, All things to all men.
2, The Swiss Army Knife model.

Both are effectively guarantees that either the library code will be buggy, or the interface so complex that the glue logic is going to be buggy…

We’ve kind of seen this popup with Apache log4J and similar in this past year.

But the interesting thing to note is Zero-Days are often these days not in “business logic” but “support logic” in the case of Log4J it was some wierd mostly unused addition to basic logging functions.

This should be ringing bells in peoples ears and red flags infront of their eyes… But the Log4J “take away” by many was not the two points above but to reopen the mostly pointless “Closed Source -v- Open Source” argument in various ways.

The real issue is that “code reuse” has become some kind of weird perversion, where not just the kitchen sink gets thrown in but the dirry dishes as well. Every edge case and corner case apparently has to be catered for in code libraries these days… All used via “example code” that rarely deals with errors, exceptions or state.

John April 27, 2022 6:34 PM

Hmm….

I REALLY don’t want to write and test another math pack for some ‘new’ processor.

Kinda explains it all to me! ,,,, So use the ‘library’!!!

John

Ted April 27, 2022 7:57 PM

Something caught my attention a few days ago. It was Dave Aitel, formerly of the NSA, taking the position that patching is useless.

I’ll be honest. It knocked the wind out of my sails a little bit. Looking back on it now, I see it was part of a debate hosted by Hack At The Harbor. Someone else took the opposing position.

Now Dave is a good speaker and he did make some interesting points. And to his credit, he did it in a pink headset with what looked like cat ears. Purely based on his articulateness, I thought he was going to win the debate.

To my pleasant surprise, 56% of the audience did not believe patching was useless. My sky is still blue. And, at this moment, I can still walk without falling over.

https://itwire.com/business-it-news/security/patching-is-security-industry-s-thoughts-and-prayers-ex-nsa-man-aitel.html

Marian April 28, 2022 12:51 AM

Can someone explain the discrepancy between Googles count of 58 and Mandiants 80? Are they using a different definition? Is Google grouping them in some way?

I would like to know which number to quote more confidently.

Clive Robinson April 28, 2022 2:54 AM

@ Ted, ALL,

… taking the position that patching is useless.

It depends on your point of view, but yes it is “useless”…

To understand why you first have to ask,

“Why do we patch?”

And the answer is,

“To fix deficiencies”.

From that it is not hard to see that if the code we wrote had no deficiencies then patching would be “unnecessary” thus serves no purpose thus is “usless”.

But you can also see how very embarrassingly patching is a direct measure of our codes deficiencies. The more patches we issue the more we advertise to the world how shody our product is.

Patches are in effect the equivalent of a “product recall” for tangible physical products.

In fact in the early days of microcontrolers, getting the ROM code wrong would cause the need for a “product recall”.

It’s one of the reasons why what were “simpler” embedded products took longer to design than their modern more “complex” products. You had to ensure the number of defects / deficiencies were minimal.

Something way to many see as something we nolonger need do. Which is why we get so much trouble from IoT devices…

In a very warped way the developers of IoT devices now see customer expectations of failure as being so high that developing patches is very much a pointless thus usless endevor.

So what IoT developers now do is put the minimum of functionality in the IoT device and instead put the main part of the functionality on some server somewhere on the Internet…

The fact that has some other usefull side effects has helped push that thinking as being desirable is not good. But it includes,

1, User data has to be sent to the server, thus destroying the user privacy bubble.
2, What the user has purchased is usless without the server service, thus destroying the user rights of ownership.

So from the managment perspective “patching is usless” in fact they now take a much harder view point “patching kills their income streams”.

Sorry if that has ruined your day, but if you start looking you will realise that it is the way the industry is moving. The “user experience has two or three parts,

1, A thin terminal,
2, A central rented service server,
3, In some cases a thin instrumentation head.

Of which only the second earns any money and gives full control over the user…

Thus as a user your choice is stark,

“Pay over and over or don’t play”

With the “over and over” having way more meaning than just $X/month, think all your user data being stolen from you and sold on, thus total loss of privacy. As your privacy is now “third party business records” the authorities need no warrant to access it at any time for any purpose without your consent. Oh and it’s not just the authorities, it’s anybody that wants to prey on you in some way.

I could go on, but as I’ve said in the past we have “sleepwalked into a trap of our own making”.

So from some perspectives “patches” are now a very existential threat so “usless” is to mild a word for their psychopathic viewpoint.

Clive Robinson April 28, 2022 3:02 AM

@ John, ALL,

Re : So use the ‘library’!!!

Even though you know it’s “borked” and deliberately breaches you security bubble by time based side channels amongst other things?

Saddly all of which is known to be true with just maths libraries alone, as for other libraries, lets just assume it is the general case that,

1, They are deliberately borked.
2, They are deliberately backdoored in some way.
3, They deliberatly contain many vulnerabilities.

Because that is the way the commercial software industry is moving.

Miguel Farah April 28, 2022 7:05 AM

«we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits»

I, for one, believe that the real reason is there are more 0-days than before, detected or otherwise. There are two reasons for this: 1) the increased dependence on libraries, as others have already commented on; 2) the dwindling quality of actual code, due to less and less care put into its design, implementation and testing, thanks to certain “development methodologies” that promise to Augment Generally, Immediately, Lucrative Earnings by skimping on good practices (all while omitting that this short-term gain will be negated by the extra cost of fixing everything at a much greater cost during the rest of the program’s life cycle).

JohnnyS April 28, 2022 8:26 AM

@Clive Robinson

There’s also the old triad: Fast, Good, Cheap: Pick any two.

If we identify “Fast” as quickly delivered software and Good as secure software, we know that Business will always pick Fast and Cheap. It’s a race to the bottom.

Ted April 28, 2022 3:05 PM

@Clive, All

Re: Patching is useless debate

But you can also see how very embarrassingly patching is a direct measure of our codes deficiencies.

I think Dave would agree with you there. He also argues it gives people a false sense of security.

Unless you reinstall a device, he says, you don’t know if it has rootkits. You also wouldn’t know what info an attacker has stolen in the meantime.

The attack surface is potentially huge, and the task of patching endless. Did I hear the phrase: tilting at windmills?

Like you, he argued it’s best not to have shoddy software to start with. He even went so far as to say that the gov is the best party to handle this, because who else can push against big software companies?

IMO, if the big software vendors would internalize this cost, that would be great too.

Ps: Huawei. One of the biggest contributors to the Linux kernel?

lurker April 28, 2022 6:37 PM

@Ted,
Huawei must be one of the biggest users of the Linux kernel by market share and range of devices, so th yue decent thing to do is contribute back their code, no?

lurker April 28, 2022 8:26 PM

@Ted
“contribute back their code, no?” is a two edged question, because I know there’s a lot of people believe as Dave said ‘Huawei is a bad actor’. Now the British spooks had a code sharing/review process with Huawei, and their published and private reasons for discontinuing that might not match our expectations. But some published code snippets matched what I have seen inside their phone handsets: the code was very well commented, and the comments reveal how slap-happy their coding and patching is…

Jon April 28, 2022 11:12 PM

Where are the liabilities for those who write crap code like this, that have zero-day vulnerabilities? It’s not inherent to code, having security backdoors, it’s lousy coding – like building a bank vault with an open window.

For Free and Open Source, FOSS, fine. You get what you pay for. But if you then package it up and sell it to someone, then guess whose ass is on the line?

Or Microsoft. “Oh, no, it says in the license agreement that it’s not really valid for anything. What, you want your money back? Ha ha.”

Until the people who profit off the code are penalized for lousy code we’ll be screwed.

J.

SpaceLifeForm April 29, 2022 2:06 AM

@ Ted, lurker, Clive, ALL

Re: Patching is useless debate

Back in the olden daze, we could use a dumb terminal and an acoustic coupler, dial up, and patch the problem for all of the users at the same time.

Clive Robinson April 29, 2022 2:52 AM

@ SpaceLifeForm, lurker, Ted, ALL

Back in the olden daze… …and patch the problem for all of the users at the same time.

That is the “Big Iron” solution, which gave rise to “Thin Client” Systems and so on to the two current paradigms of profit,

1, Cloud Software/Solutions as a Service (SaaS).
2, Dumb IoT as an “instrument head” to a central server.

Both need “thin clients” in the users hands.

But both also take away all the users Privacy, and turns them into “beholdent rent slaves” or worse “tithed serfs” with no rights of ownership over anything. In short just another resource to be exploited for maximum profit, the empty husk waste dropped like litter for others to clean up…

I can go on, but hopefully people get the point. If not they can search on “The King Game” or “Estates of Man” to see that the lunatics realy do run the asylum and for their benifit only…

Clive Robinson April 29, 2022 3:51 AM

@ Ted, lurker, ALL,

What kind of slap-happy are we talking about here?

The same sort of “slap-happy” you see in all HiTech Communications Industry code bases. Where managment and marketing drive for a share of the thinest of margins, and only those who can “land grab” via patent and royalties can hope to see long term returns.

The difference is Huawei’s code, was tangibly of better quality… It also was not stolen from other industry players.

The agreement with the UK GCHQ specifically precluded the involvment of other nations IC agencies and staff.

Under “political influance” GCHQ broke the agreement from effectively day one.

The problem the US Telco Industry has is “lack of investment in R&D” thus patent and royalty income was being lost to Huawei and others.

All this 5G nonsense, is the US industry through lobbyists trying to drive out foreign competition and set up fiefdoms which they can endlessly tax like they used to do.

Thus the US attacks on Huawei are either falsehoods or known to be very dirty old POTS calling new clean pots black.

The US know they have lost 5G in oh so many ways, that all they can do is,

1, Burn 5G down.
2, Trash those involved.

Thereby bring 6G forward, but in a way that the real targets such as Huawei are in effect excluded from being involved.

It is a dirty game, and one that the UK Government had tried not to get dragged into. However a change of political leadership in the UK and a few brown envelops, bungs, backhanders, and other incentives have caused a change in direction.

As has been noted the current UK Prime Minister is US by birth and appears to be a loyal servant of certain parties there. However like those parties he does not want to pay his due, so he has claimed British Citizenship “for tax reasons” like others close to him claim “Non-Dom” status “for tax reasons”.

As William Shakespeare had one of his characters note “There is something rotten in the State of Denmark”. So much so it stinks more than the infamous Surströmming (literally “sour herring”)

https://www.swedishfood.com/fermented-herring

A delicacy that rivals even similar fermenting / pickling / rotting whale blubber known as “Hvalspik” in Iceland or the similar “Muktuk” of arctic natives such as some Inuit that is pickled rather than fresh,

https://en.wikipedia.org/wiki/Muktuk

I would like to say that I found the taste of them atleast “interesting” or “aquired” but to be honest like Hamlets patriarchal ghost it “lingers” long long after you would wish. Oddly though the preserved smoked cods row in a tube called “Kalles Kaviar” I can whole heartedly recomend as an occasional snack with a difference. I got kind of addicted to it for part of breakfast. It added an essential taste much like Fish Sauce does to stirfry and anchovy essence does to the best of beef pies, that lifts from the plesant to the heavenly.

Clive Robinson April 29, 2022 5:02 AM

@ All,

In my above, I forgot to includeva link, that shows I’m far from the only one that knows what the real game is,

https://www.theregister.com/2021/12/18/us_huawei_malware/

OK ot took them untill Dec last year for the weight of evidence to build such that they dare publish such an article.

As I’ve been pointing out for several years here and in other places the evidence has been more than sufficiently clear about the dirty game that is going on.

The thing is most people have been not just in denial, they’ve built up a false narative in their heads and cognative bias kicked in.

The simple fact is that in every case where the US Gov or their compliant “supposadly” independent companies have claimed attribution it can with a little digging be found out that in fact the US IC has been in these peoples systems tampering and adding malware and worse.

This is under the “Attack First and Lie Policy” or “Offence Trumps Defence” etc of “First Strike” idiocy thought up and rationalised by the likes of Stewart Barker. It’s the same nonsense that gave us “rendition”, “torture” and “Gitmo” that failed so very very badly, and still are.

Because the US IC has a “Can do, will do” mentality they have prioritized “offence over defence” and as a result lost a whole lot of there supposadly “Oh so secret tools” that then got used by others to create very visable mayhem.

But amongst those tools, were some the design of which was “False Flag Attacks” where the US would invade other peoples systems, carry out attacks and similar but leave behind false evidence to be found by compliant investigators who would then blaim another nation states…

As the saying goes “live by the sword die by the sword” other nations now take the view that as they have been attacked and falsely accused by the US Government, they might as well defend themselves in the same manner.

This nonsense escalates and the real loosers are you and I the citizens that honestly pay their taxes and behave in a civil way we would hope others would do.

The winners are those we do not realy see, who gouge from the tax purse huge sums they then further use against the honest tax payers and citicens. It’s been called the “Military Industrial Complex”(MIC) for more than a life time now, and in that time it has changed and is nolonger just “industrial” it has become deeply insidious and now in many respects has subsumed many of the not just the tasks of the Military, but also the Intelligence Community from lowly law enforcment upwards right through and into space and most every Western home and most first and second world peoples pockets.

All for the benifit of a self chosen few who believe they are “entitaled” by their narcissism, sadism and psychopathic deficiencies to do as they wish against others without let or hinderance… But hey that’s also called “The American Way”…

Ted April 29, 2022 7:51 AM

@Clive, lurker, All

So much so it stinks more than the infamous Surströmming (literally “sour herring”)

My mom’s family used to talk about lutefisk. From what I’ve heard about how it tastes, and since I never ‘got’ to try it, I guess they’ve since moved on. The Swedish rye bread, however, lives on.

I really don’t know exactly where we come from, but maybe I should. My grandmother used to say they were part Pennsylvania Dutch, which I think was the nice way of saying German.

Clive Robinson April 29, 2022 8:14 AM

@ Ted,

… which I think was the nice way of saying German.

Remember European boarders unless nailed down by geology have frequently moved.

We have someone who pops up from time to time who is “currently” Estonian, I suspect that if they are not to young they may have had different “papers”… The same with East Germans, Austrians, and as for Eastern Europe there was a joke about looking at a calander to decide nationality.

Winter April 29, 2022 8:44 AM

@Ted

Pennsylvania Dutch, which I think was the nice way of saying German.

Actually, the “Dutch” (“Deitsch” ~ “Deutsch” [=German]) part refers to the German languages that the people spoke. Before 1880s, Germany did not exist as a country. The Pennsylvania Dutch originated from areas which are now in the Netherlands, France, Germany, and Switzerland. (see Wikipedia)

Summary, the Pennsylvania Dutch did not originate from the Netherlands, or from Germany (which did not exist at the time), but from a host of German/Dutch/Franconian/Letzebuergesch/Alemanish/Schweizerdeutsch speaking regions[1] which the English speaking people at the time lumped together as just the “German” language.

[1] North to South, still largely mutually incomprehensible languages.

JonKnowsNothing April 29, 2022 9:06 AM

@ Winter @Ted @All

re: Pennsylvania Dutch

In the USA this descriptor may also be applied to a group of people that adhere to a certain religious viewpoint.

Some of these groups, which originated in European countries, moved around as and when their religious views clashed with the desires of local Kings and Wars Levies. In order to avoid those conflicts they moved to new area where they were given safe haven until that area rescinded the safe haven option.

Some of them migrated out of Europe and settled in other countries around the world. Their views change some from group to group and they have different interpretations of “what’s allowed and what’s not”.

===

Search Terms

“Plain dress”

“Christian pacifism”

Winter April 29, 2022 9:41 AM

@JonKnowsNothing

In the USA this descriptor may also be applied to a group of people that adhere to a certain religious viewpoint.

You mean Mennonites and Amish?

These actually do go back to a Dutch (Netherlands, or rather Frisian) founder, Menno Simons. They were anabaptists who believed that people should only be baptized after they were actual believers. That is, children should not be baptized.

People at the time believed anyone who died before being baptized would go to hell, which would land all children that died in hell. Priests who were suspected of being anabaptists, and not properly baptize babies, were considered worse than child murderers, and treated as such. The Mennonites were often driven out and scattered to the four corners of the earth (Siberia, Brazil, Pennsylvania, among others). The surprising fact is that they are still living their lives as Mennonites there.

The Mennonites and their language are still a subject of research:
ht-tps://src-h.slav.hokudai.ac.jp/coe21/publish/no9_ses/20_degraaf.pdf

Ted April 29, 2022 9:58 AM

@Winter, JonKnowsNothing, Clive, All

re: Pennsylvania Dutch

Oooh. Interesting. Genealogy is really my mom’s wheelhouse. I’ll have to see if she knows more about our “Dutch” line 😉 I’m sure she does.

She and my step-father were just out west in California to look through archives for info on relatives there.

Clive Robinson April 29, 2022 10:40 AM

@ Winter, JonKnowsNothing, Ted, All,

North to South, still largely mutually incomprehensible languages.

The reason is that migration in much of Europe especially in the north was mainly East West for reasons of topology and tree lines etc.

These formed “trade routes” which spread culture and language thus the Old Germanic or Hun languages spread from Indio-Iranian proto languages in a band across the north of India up into Iran through what we now call Turkey and up into europe untill the coast line forced them down towards what we now call Belgium/Normandy. Where supposadly it spread into what is now the UK. However some believe that it followed a maratime trade route from Iran out of the Mediterranean north around Spain/Portugal missed most of the UK mainland hit Southern Ireland and headed north into Scotland and then met up with other Germanic languages.

What ever the actual routes, Germany as such was notional and did not exist and the variety of languages from it was something like fifty.

For various reasons including WWII germanic languages are reducing and many nolonger existas they get replaced by “Standard German”.

Whilst I find the geological spread of languages of passing interest, it is the movments of trade and industry that intetrst me a lot more… And this is where things go astray… The claimed spread of languages does not match as well as you would expect with the spread of industrial processes…

So something is lacking / missing / wrong in the historic narative. Unfortunately one method of following which is by “tomb stones” has also been disrupted by frequent war.

I know it might appear strange to many but culture and religion have been more reliable indicators of ethnicity in Europe than political boundaries and boarders, that almost come in and go out like a tide generated by another planet.

JonKnowsNothing April 29, 2022 11:58 AM

@Winter

re: You mean Mennonites and Amish?

There are a number of groups that might have the name applied generically. One of the are groups people think of are the Amish.

lurker April 29, 2022 4:07 PM

@Clive Robinson, @Ted

Thanks for the links to El Reg, I had stopped following the story closely when it became obvious it was just part of “the game”. The Bloomberg story on which they based their 20211218 story is interesting for the number of direct quotes from people who “saw nothing, heard nothing, said nothing”.

It caught my eye that the en-ess-eh admitted they “found” evidence of malicious activity on a US network only after being tipped off by AU.

This story does not blame Huawei for doing the spying; Huawei is in the can for allowing the Chinese state system to “infiltrate” its technical support. In the west such actions are usually lubricated by simple ca$h inducements, but China in recent years has been conducting a crackdown on “corruption”, which in practice means that a successful operation requires more money and more cronyism.

El Reg’s 20220218 story starts

The British government has started a consultation to find ways to legally remove the equipment of telecoms giant Huawei from its 5G networks by the end of 2027.

HM Govt has had to pass a law giving them the power to compell private telecom companies not to use “high-risk vendor equipment in public networks”, but if the vendor has good contract lawyers it’s going to take at least 5 years to get the hardware out of contention, by which time we’ll be into 6G…

Chris Drake May 15, 2022 7:53 PM

I notice the spreadsheet contains exclusively CVE listings only.
It’s worth pointing out that actually getting a 0-day onto that list is very difficult, and requires that an approved entity (manufacturers mostly) “accepts” it.

If you’re an independent researcher, none of those entities accept any of our submissions I have discovered over a few years of experience now.

If you find problems (e.g. authentication bypass) in product (e.g. V7610*) from manufacturers who don’t care (e.g. Netgear), it doesn’t matter how many times (e.g. 5+) over how many years (e.g. 3+) you report the bugs, it never gets listed and never gets fixed.

  • Genuine example. The V7160 is the primary router for more than 50% of Australian small businesses, and remains instantly hackable to this day. It is a 100% waste of time trying to get Netgear, Telstra (the main ISP distributing these), or these idiots: https://cve.mitre.org/ to accept reports or fix anything.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.