If vendors had patched their products rightly, a quarter of all the zero-day vulnerabilities discovered being exploited in the wild in 2020 could have been avoided, according to Google last week.

Meanwhile the Googles Project Zero security team say they detected 24 zero-days exploited by attackers in 2020.

Firstly, after attackers accessed the older bug reports and carefully studied the previous vulnerability, they deployed a new variation of that vulnerability. So, because of this they were able to utilise six of these variations of vulnerabilities disclosed in previous years.

A member of the Project Zero team, Maddie Stone said “some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit” outlined in her blog post

These zero-days included Chrome, Firefox, Internet Explorer, Safari, and Windows.

In addition, 2020 zero-day discoveries and patches could have fallen to the same exploitation.

For instance, some requiring additional fixes were initial patches for three zero-days —impacting Chrome, Internet Explorer, and Windows, said Stone.

Because the threat actor could have examined the patches, then created a new variation of the vulnerability. In turn re-weaponizing the same vulnerability and continue their attacks.

Most importantly, if vendors had investigated the root cause of the bugs in greater depth and invested more into the patching process, Stone believes the situation could have been avoided. Last week she presented her findings at the USENIX Enigma virtual security conference.

As a result of these findings Project Zero researchers recommend that other security experts analyse exposed zero-day vulnerability in greater depth.

In other words, learn a bit more about the attacker’s movements to gauge just how they think, in- order to gain an advantage. This could help;  

  1. learn about the entry vectors an attacker is trying to exploit.
  2. determine the vulnerability class
  3. then deploying comprehensive mitigations

In short, this is- why the Google’s Project Zero team was founded years ago, says Stone. To “learn from 0-days exploited in-the-wild in order to make 0-day hard.”

And the more we can learn about our attackers, the better our defences.