0days in numbers: Chrome, Windows, Exchange… What are attackers and manufacturers looking for?

Sergio de los Santos    27 April, 2022
A man using Chrome browser in a laptop

Very interesting data from Google’s Project Zero, which tries to catalogue, find and disseminate 0days. They do not discover them directly, but “detect” them in any manufacturer when they are being exploited if the manufacturer so declares. They can then analyse, alert and correct in order to close the door to attackers as soon as possible.

They advocate for proper 0day cataloguing and transparency to improve the community. For example, the starting point is for manufacturers to properly label their vulnerabilities (whether they are in-the-wild) or not when they are detected or corrected. This year they have detected 58. The previous record was 28 in 2015. Project Zero has been working since 2014.

0days are vulnerabilities found when already being exploited by attackers and, therefore, without a known patch

The numbers from this tracking are rather interesting. If we divide them by major manufacturers during 2021, they would look like the following chart.

0days reported by vendor in 2021

Source: Project Zero

Does this chart mean that Chrome has more flaws and is more vulnerable? Not at all. In fact, there is so much information to be gleaned from this chart that it is necessary to break down the argument.

Chrome

14 0days reported in 2021. Undoubtedly, the browser is the one that has been attracting the greatest interest from attackers for some time now. Firstly because of the number of new attacks they carry out, and secondly because it is known that bypassing Chrome’s sandbox has always been a technical challenge.

Now, however, it is even more of a challenge because Edge uses Chromium and some of the bugs may be shared. Six of these bugs were in the V8 JavaScript engine.

Webkit (Safari)

The first full year that Apple reports 0days as such in Webkit. And that makes 7, so you can’t really establish a trend. Certainly a lot compared to its market share, but we already know that it’s a juicy target on iPhone phones above all. Again, 4 of them in the JavaScript engine.

Internet Explorer

Yes, it still matters, given how embedded it is in the system and as a consequence it is still Office’s HTML engine. In addition, there are always 3 or 4 0days on a constant basis since 2015.

Windows

10 0days. The funny thing is that until now, the vast majority of them were attacking win32k to escalate privileges. Up to 75% of all 0days in previous years.

In 2021, only 20% are attacking this driver. Why? Because these attacks were aimed at versions prior to Windows 10. With its disappearance, this module becomes more complex to exploit. Although it may not seem like it, in this respect, Windows 10 is more heavily shielded.

iOS/MacOS

Always hermetic, this 2021 has been the first year in which Apple has reported 0days as such in its operating system. And there have been 5 of them, one of them (the first) on MacOS (so far all of them on iOS).

Once again, iOS is a very interesting target for attackers in high geopolitical spheres. Pegasus is an example of this.

Android

We have gone from a single 0day in 2019, to none in 2020 and 7 in 2021. And out of these 7, 5 bugs in the GPU driver.

Since Android operating systems are highly fragmented, it is difficult to make a working exploit for most flavours of operating systems. However, a flaw in the GPU driver allows an attacker to need only two exploits. One for the Qualcomm Adreno or one for the ARM Mali GPU.

It is curious how not only in Android, but in all other platforms, the most valued for attackers are privilege escalations. Why? Because getting the user to execute is relatively easy thanks to social engineering.

Exchange Server

The big star of 2021. The first time it appears since 2014 and it does so with 5. It is also true that 4 of them were part of the same operation or campaign related to ProxyLogon.

Conclusions

It will never be known how much is unknown, or what portion of those 58 of the total number of 0days attackers are using. At least this year is the first year in which Apple has committed to labelling its vulnerabilities as known in-the-wild for Webkit, iOS and macOS.

Most of these 58 0days follow very similar practices as they always have: they build on known exploits and vulnerabilities to develop new and derivative exploits. Only two were new in their techniques and sophistication. And this is quite relevant. Because as long as known methods, techniques or procedures are used, they are theoretically easier to detect because they are “expected”. This is where the industry should improve.

Another conclusion is that these numbers show us something that is incomplete, part of a full map we do not know. These are only the vulnerabilities declared as 0days detected by the manufacturers. There will certainly be more, but we don’t know how many. Google’s call for all manufacturers to report their 0days as such is of great help for analysing the industry itself.

Leave a Reply

Your email address will not be published.