Google Details the Biggest Zero-Day Vulnerabilities Found So Far This Year

pcmag.com:

Half of the actively exploited zero-day vulnerabilities discovered in the first half of the year have been variants of existing security flaws, according to a new report from Google Project Zero.

"As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022," Google Project Zero security researcher Maddie Stone says in the report(Opens in a new window). "When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests."

It's easy to imagine the zero-day life cycle as something like this: A hacker finds a flaw, figures out how to exploit it, then uses it until someone releases a patch to fix it, at which point the hacker needs to discover a brand-new vulnerability. (And, of course, the people using the vulnerable product finally decide to install that patch.)

But this report from Google Project Zero shows that developers are actually making things much easier for those attackers. Stone explains:

"Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same