remarkboard.com
Open in
urlscan Pro
2a06:98c1:3120::7
Public Scan
URL:
https://remarkboard.com/m/google-s-project-zero-58-in-the-wild-0-days-were-detected/1glcydwb8d2ra
Submission: On April 20 via api from US — Scanned from DE
Submission: On April 20 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Mark link Remarkboard Mark link TECH GOOGLE'S PROJECT ZERO: 58 IN-THE-WILD 0-DAYS WERE DETECTED AND SHARED IN 2021, MORE THAN DOUBLE THE PREVIOUS RECORD, AS THE INDUSTRY IMPROVES AT FINDING 0-DAYS This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Play Subscribe Read THE MORE YOU KNOW, THE MORE YOU KNOW YOU DONÂT KNOW PausePlay % buffered00:00 51:11 UnmuteMute Disable captionsEnable captions Settings CaptionsDisabledQualityundefinedSpeedNormal CaptionsGo back to previous menu QualityGo back to previous menu SpeedGo back to previous menu 0.5×0.75×Normal1.25×1.5×1.75×2×4× PIPExit fullscreenEnter fullscreen Play A Year in Review of 0-days Used In-the-Wild in 2021 This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository. We perform and share this analysis in order to make 0-day hard. When we look at the components targeted by these bugs, they’re all attack surfaces seen before in public security research and previous exploits. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. A Year in Review of 0-days Used In-the-Wild in 2021 This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository. We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard over and over and over about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans’ lives. We’ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion. 2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014. While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits. With this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn’t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero’s mission is “make 0day hard”. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox. So while we recognize the industry’s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there’s a lot more improving to be done. Having access to more “ground truth” of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry. We had so many more data points in 2021 to learn about attacker behavior than we’ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they’re using or what percentage of 0-days we’re missing in our tracking, so we’ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. Based on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard: 2021 was a record year for in-the-wild 0-days. So what happened? Is it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021. While we often talk about “0-day exploits used in-the-wild”, what we’re actually tracking are “0-day exploits detected and disclosed as used in-the-wild”. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. Overall, we can break down the uptick in the number of in-the-wild 0-days into: In the 2019 Year in Review, we wrote about the “Detection Deficit”. We stated “As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.” In the last two years, we believe that there’s been progress on this gap. Anecdotally, we hear from more people that they’ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we’re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase. We’ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it’s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products! The second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate “Google Android” rather than just “Google” because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don’t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by “Anonymous” reporters. If the reporters didn’t want credit for the vulnerability, it’s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn’t have been included in this year’s list if Apple and Google Android had not begun transparently annotating their security advisories. Kudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for CVE-2021-41773 this past year. In-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor’s own security advisories. It's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we’re confident that all vendors are transparently disclosing in-the-wild status, there’s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors. We had a record number of “data points” in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research. Once “0-day is hard”, we’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty “meh” or standard. Out of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it’s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes: In the next sections we’ll dive into each major platform that we saw in-the-wild 0-days for this year. We’ll share the trends and explain why what we saw was pretty unexceptional. Chromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome. The 14 0-day vulnerabilities were in the following components: When we look at the components targeted by these bugs, they’re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities. A couple of the Chromium bugs were even similar to previous in-the-wild 0-days. CVE-2021-21166 is an issue in ScriptProcessorNode::Process() in webaudio where there’s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. CVE-2019-13720 is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time. CVE-2021-30632 is another Chromium in-the-wild 0-day from 2021. It’s a type confusion in the TurboFan JIT in Chromium’s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. CVE-2021-30632 in particular deals with code that stores global properties. CVE-2020-16009 was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation. Prior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don’t have historical samples to go off of. Instead, we’ll look at 2021’s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. The 7 in-the-wild 0-days targeted the following components: The one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. It would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there’s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, CVE-2021-21166, also existed in WebKit and was fixed as CVE-2021-1844, though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, CVE-2021-30858, was very, very similar to a bug fixed in Chromium in January 2020. Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked even though Internet Explorer’s market share of web browser users continues to decrease. So why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we’ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. The four 0-days targeted the following components: For CVE-2021-26411 targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. CVE-2021-33742 and CVE-2021-40444 were delivered to targets via malicious Office documents. CVE-2021-26411 and CVE-2021-33742 were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow. There were a few different vulnerabilities used in the exploit chain that used CVE-2021-40444, but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug. Windows is the platform where we’ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it’s still not especially novel. In 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components: The number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface. Similar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. CVE-2021-1732 is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn’t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, CVE-2022-21882, is due to CVE-2021-1732 actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. CVE-2021-40449 is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. As discussed in the “More disclosure” section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day (CVE-2021-30869) was also found. In this section we’re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability). For the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces: These 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used CVE-2016-4654, a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen’s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It’s a popular attack surface because historically it’s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. CVE-2021-30807 is an out-of-bounds read and CVE-2021-30883 is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, CVE-2022-22587. One iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU’s inter-process communication (IPC) functionality. CVE-2021-1782 exploited a vulnerability in mach vouchers while CVE-2021-30869 exploited a vulnerability in mach messages. This is not the first time we’ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. CVE-2019-6625 was exploited as a part of an exploit chain targeting iOS 11.4.1-12.1.2 and was also a vulnerability in mach vouchers. Mach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: CVE-2020-27932 & CVE-2020-27950. This year’s CVE-2021-30869 is a pretty close variant to 2020’s CVE-2020-27932. Tielei Wang and Xinru Chi actually presented on this vulnerability at zer0con 2021 in April 2021. In their presentation, they explained that they found it while doing variant analysis on CVE-2020-27932. TieLei Wang explained via Twitter that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented. The two FORCEDENTRY exploits (CVE-2021-30860 and the sandbox escape) were the only times that made us all go “wow!” this year. For CVE-2021-30860, the integer overflow in CoreGraphics, it was because: The sandbox escape (CVE requested, not yet assigned) was impressive because it’s one of the few times we’ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs. For CVE-2021-30860, the vulnerability itself wasn’t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Groß & Ian Beer as “one of the most technically sophisticated exploits [they]’ve ever seen”. Their blogpost shares all the details, but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost: Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent. The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying. This is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation. There were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: CVE-2019-2215. Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we’ll compare it to public security research. For the 7 Android 0-days they targeted the following components: 5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against “Android devices”, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU. Public security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, Guang Gong, Man Yue Mo, and Ben Hawkes all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver. The two non-GPU driver 0-days (CVE-2021-0920 and CVE-2021-1048) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it’s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation. The vulnerability now referred to as CVE-2021-0920 was actually found in September 2016 and discussed on the Linux kernel mailing lists. A patch was even developed back in 2016, but it didn’t end up being submitted. The bug was finally fixed in the Linux kernel in July 2021 after the detection of the in-the-wild exploit targeting Android. The patch then made it into the Android security bulletin in November 2021. CVE-2021-1048 remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable. In 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were all disclosed and patched at the same time and used together in a single operation. The fifth (CVE-2021-42321) was patched on its own in November 2021. CVE-2021-42321 was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with CVE-2021-42321, the attackers would have required at least another 0-day for successful exploitation since CVE-2021-42321 is a post-authentication bug. Of the four Exchange in-the-wild 0-days used in the first campaign, CVE-2021-26855, which is also known as “ProxyLogon”, is the only one that’s pre-auth. CVE-2021-26855 is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, CVE-2021-26858 and CVE-2021-27065 allowed attackers to write arbitrary files to the system. CVE-2021-26857 is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user. For the second campaign, CVE-2021-42321, like CVE-2021-26858, is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability. While there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it’s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don’t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access. While this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was n-day exploitation of Exchange Servers. Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we’ll likely see it continue into 2022. While there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we’re missing and why, and the need for more transparency from both vendors and researchers. Until the day that attackers decide to happily share all their exploits with us, we can’t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we’re very likely missing. From that, these are some of the key questions we’re asking ourselves as we move into 2022: Despite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there’s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021. Along with messaging apps, there are other platforms/targets we’d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there’s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband. This leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both? Unless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don’t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild. As we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that’s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that’s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we’d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers. To successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful). Unfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users. As an aside, if you have an exploit sample that you’re willing to share with us, please reach out. Whether it’s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we’d be happy to work with you. Looking back on 2021, what comes to mind is “baby steps”. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we’re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we’ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve. While this all may seem daunting, the promising part is that we’ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it’s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress: Through 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted over and over how governments were using commercial surveillance products against journalists, human rights defenders, and government officials. We saw many enterprises scrambling to remediate and protect themselves from the Exchange Server 0-days. And we even learned of peer security researchers being targeted by North Korean government hackers. While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks. 2021 showed us we’re on the right track and making progress, but there’s plenty more to be done to make 0-day hard. SUBSCRIBE TO TECH @ REMARKBOARD.COM APPLE PODCASTS ON MAC (ITUNES ON WINDOWS) Click on “File” in the top left menu. Then select “Add a Show by URL…” from the dropdown and paste the feed URL below in the pop-up window. Click “Subscribe” and voilà! Copy APPLE PODCASTS ON IOS Tap “Library” on the bottom row of icons. Then hit “Edit” on the top right, and select “Add a Show by URL…”. Then paste the feed URL below and tap “Subscribe” and you’re off to the races. Copy TRENDING NOW Tech marked Google and Meta restrict the accounts of Hong Kong's sole chief executive candidate, John Lee, citing US sanctions from 2020 on Lee for crushing protests Google and Meta Platforms Inc. moved on Wednesday to curtail the social media presence of Hong Kong's sole chief executive candidate … Tech marked Analysis: half of Apple's top 200 suppliers have facilities in and around Shanghai, where China's COVID-19 lockdowns are disrupting activity slong COVID lockdown in Shanghai is creating chaos for Apple suppliers based in and around the city. (Source photos by Getty Images and Reuters) … Politics marked Trump's Most Loyal Lawmakers Are Actually Losing Money Last year, it was a fundraising feast for the MAGA Goon Squad. But in 2022, without the donor stimulus of an attempted insurrection … Politics marked House Rating Changes: 11 Moves, All in Favor of Republicans We are making 11 rating changes in the House this week, all in favor of Republicans. Politics marked 'It's Just Scaring People, and It's Not Saving Lives' As the United States nears its numbing, millionth COVID death and shrugs its shoulders at a rise in cases, some Americans are feeling left behind. Politics marked Real estate players shower DeSantis with campaign cash as housing prices soar Popack, chair and CEO of YMP Real Estate Management … Finance marked One-Third of Ukraine Farmland May Go Unplanted As Russia Begins 'Second Phase' Of War More bad news for the global food supply. Politics marked Justice Dept. to appeal decision lifting mask mandate on planes, trains if CDC deems rule necessary The Justice Department announced Tuesday that it will appeal the ruling that lifted the federal mask mandate on planes, trains and transit systems, pending a decision by the Center … Finance marked Newsquawk US Market Open: Equities and bonds rise, JPY gains, and crude consolidates European bourses and US futures were choppy at the commencement of the European session, but, have since derived impetus in relatively quiet newsflow amid multiple earnings and as yields continue... Tech marked Microsoft's Chris Novak, currently head of Xbox R&D, is leaving after nearly 20 years; Novak has previously worked on Xbox Game Pass and Live If you've subscribed to Game Pass or obsessed over Xbox achievements … Media marked TiVo study finds 28% of US viewers resubscribed to pay TV after cutting the cord; 29% say it is because it is the best way to watch sports and major live events Cutting the cord can be complicated. That's why we here at The Streamable try to make it as simple as possible for you. Finance marked China's New Gold Project Is A Double-Edged Sword For Tajikistan China could help Tajikistan alleviate some of its economic troubles... but it isn’t without strings, Politics marked Biden's urgent moves on gas prices collide with lofty climate goals President Biden entered office triumphantly rejoining the Paris climate accord. Finance marked Netflix’s Nokia moment? we are going to need a bigger Chaos Monkey… Finance marked Wall Street Interns Are Making Up To $16,000 A Month In the last year, intern pay has risen by 37.2% at global investment banks... Showbiz marked Helen Mirren ‘heartbroken’ after stepson Rio Hackford, 51, died from ‘rare’ cancer Hollywood actress Helen Mirren has shared her heartbreak after her loving stepson Rio Hackford passed away last week from a “rare and aggressive” form of cancer at the age of 51 Tech marked Just Eat Takeaway says it is exploring a partial or full sale of Grubhub, less than one year after buying it for $7.3B Just Eat Takeaway.com NV said it's considering a partial or full sale of its Grubhub unit, just as the end of the pandemic has soured investors on food-delivery firms. Finance marked Newsquawk US Early Morning: US futures are lower, Netflix slammed after subscriber losses; some warn bearishness may be peaking out Equity futures trade lower, with much attention on Netflix subscriber miss. Elsewhere, some desks, like Citi and JPMorgan, think that investor bearishness may be peaking. Finance marked German Industry Fears Immediate Russian Gas Ban German business and unions are joining forces in opposition, warning that an immediate Russian natural gas ban would have a severe negative impact on industry and jobs. Tech marked Sources: Elon Musk is evaluating various debt packages, including preferred debt and a loan against his shares of Tesla, to secure financing for his Twitter bid The world's richest man is trying to shore up debt financing, including potentially taking out a loan against his shares of Tesla, so he can buy Twitter for $43 billion. Politics marked Kremlin Insiders Alarmed Over Growing Toll of Putin's War in Ukraine Almost eight weeks after Vladimir Putin sent troops into Ukraine, with military losses mounting and Russia facing unprecedented international isolation, a small but growing number of senior Kremlin... Politics marked Saturday's Utah State Republican Convention would be a great place for Mike Lee to come clean, Editorial Board writes Confession, it is said, is good for the soul. Finance marked Global Rice Production Set To Plunge 10%, Threatening Half Of Humanity "When the farmers cut fertilizer use, they accept that they will get lower profit." Showbiz marked Blac Chyna's Mom, Tokyo Toni, Goes on Rant Against Kardashians, Must Stay Away From Court Hearings The rant was addressed in court this morning. Finance marked "But They All Do It..." A disturbing pattern has emerged in French presidential elections... Tech marked Gartner predicts that global corporate spending on cloud computing in 2022 will grow 20% YoY to $494.7B, and cloud platform services to grow 26% to $109.6B Companies world-wide this year are expected to spend nearly $500 billion on cloud computing, up 20% from last year Tech marked Sources: WhatsApp is struggling to sign up local partners for its business payments service in Brazil and is still awaiting approval from the central bank Plan to allow users to send payments to companies via messaging app runs into clashes with partners Tech marked Brave browser introduces De-AMP, a feature which bypasses Google-hosted AMP pages and takes users straight to the original website Brave announced a new feature for its browser on Tuesday: De-AMP, which automatically jumps past any page rendered … Tech marked A timeline of warnings from investors over the past decade about a tech startup bubble that never burst; instead of a collapse, things got bubblier The venture capitalists are sounding the alarm. At posh conferences, they buzz about falling valuations for start-ups. Finance marked UK Energy Execs Tell MPs That "Fuel Poverty" Will Crush Households Into Debt "Come October, that's going to get horrific, truly horrific." Tech marked Indonesia-based Noice, an audio content startup focused on podcasts, radio, audiobooks, and live audio, raises a $22M Series A led by Northstar NOICE, an Indonesia audio content startup, has raised $22 million in Series A funding led by Northstart, with participation from returning investors Alpha JWC Go-Ventures and Kinesys. Media marked Indonesia-based Noice, an audio content startup focused on podcasts, radio, audiobooks, and live audio, raises a $22M Series A led by Northstar NOICE, an Indonesia audio content startup, has raised $22 million in Series A funding led by Northstar, with participation from returning investors Alpha JWC Go-Ventures and Kinesys. Finance marked Newsquawk Euro Market Open: Predominantly positive APAC trade with LPRs U/C, NFLX slumps as subscribers fall APAC stocks eventually traded mostly positive after the firm handover from the US which saw a solid performance for the NDX. Finance marked The Cost Of 'New Energy' In Europe, But Not In Money... Russian gas is not free... neither is Qatari fuel... Tech marked Google's Project Zero: 58 in-the-wild 0-days were detected and shared in 2021, more than double the previous record, as the industry improves at finding 0-days This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Showbiz marked Brooke Shields Is ‘All Healed’ Following Broken Femur Accident, But Says Her ‘Strength is Really Compromised’ literally! Politics marked UAE cancels participation in Israeli flyover due to Temple Mount riots The announcements came as the UAE Foreign Ministry summoned Israel's Ambassador Amir Hayek over police actions against Palestinian rioters on Jerusalem's Temple Mount and in the Old City Tech marked Filing: former eBay security director Jim Baugh will plead guilty to a 2019 cyberstalking campaign against eBay critics; five other ex-staff have pleaded guilty Former eBay Inc. security director Jim Baugh will plead guilty to running a bizarre 2019 cyberstalking campaign against a couple … Politics marked Can The Democratic Party Define Itself? In the past several decades, Michael Kazin has written … Finance marked Woke Investors Threaten The West's Security In an era of rising geopolitical tensions, it is folly to let Wall Street determine the nation’s energy policy... Finance marked Cognitive Biases: Three Common Types Illustrated In a world of information overload, we can fall victim to all sorts ofcognitive biases... Tech marked Sources: Blackstone and Vista Equity Partners are not backing a Musk-led deal for Twitter, partly due to concerns on whether Twitter can become more profitable Groups with financial firepower to finance takeover are concerned about profitability of social media service Politics marked Fearing a Trump Repeat, Jan. 6 Panel Considers Changes to Insurrection Act Give this article- - - Read in app Politics marked Trump-backed House candidate removed from ballot by Tenn. Republicans The Tennessee Republican Party voted on Tuesday to remove former State Department spokesperson Morgan Ortagus and two others from the August primary ballot in the state's 5th Congressional... Finance marked "I'm Done Talking" - MSNBC Analyst Quits To Fight Russians In Ukraine "It's time to take action here. So, about a month ago, I joined the international legion..." Finance marked Is There A Case For The Pre-1914 Gold Standard? Yes, If You Believe Inflation Is A Bad Thing ...calls into question a reevaluation of the entire foundation of the fiat money system along with the Keynesian worldview... Showbiz marked Blac Chyna's Mom Tokyo Toni Threatens Judge in Kardashian Lawsuit BLAC CHYNA'S MOM BLAC CHYNA'S MOM TOKYO TONI THREATENS JUDGE 'I'm Gonna Get That Judge' … Blac Chyna's mom, Tokyo Toni, may have taken her displeasure with the judge too far ... because she... Finance marked The Dam Is Finally Cracking We all sense the global order has cracked. The existing order is breaking down on multiple fronts... Tech marked Vetster, a marketplace and telehealth startup for pet care, raises a $30M Series B led by Kensington, and partners with online pet medications company PetMeds Vetster, a two-year-old telehealth startup for pets, and PetMed Express PETS PETS PETS , Inc., (PetMeds), a 26-year-old online … Tech marked Mumbai-based Videoverse, which helps companies automate online video content production and reduce editing time using AI, raises a $46.8M Series B they're quickly becoming the go-to choice when it comes to content consumption. © 2022 Remarkboard AddThis Sharing Sidebar Share to FacebookFacebook , Number of shares Share to TwitterTwitterShare to PrintPrintShare to EmailEmailMore AddThis Share optionsAddThis , Number of shares Hide Show Close AddThis AddThis Sharing SHARESFacebookTwitterPrintEmailAddThis Follow Hide Follow Follow on Facebook Facebook Follow on Twitter Twitter Follow on Pinterest Pinterest Show