Researchers from Google’s Threat Analysis Group released a review report of 0-day vulnerabilities that were exploited in the wild in 2022. A total of 41 in the wild zero-day vulnerabilities were detected and disclosed that year. This is a 40% decrease from the previous year, which had 69 detected 0-day vulnerabilities. While the downward trend may be comforting, the report said that 40% of the zero days in 2022 were variants of vulnerabilities that had already been reported. The researcher said that the lack of complete patching is sometimes the cause of the variant zero-day vulnerabilities. This can happen when vendors address only the attack path shown in the proof of concept or exploit sample, rather than fixing the vulnerability as a whole. Similarly, security researchers often report bugs without following up on how the patch works and exploring related attacks. Recommendations for how to improve is for industry to get fixes and mitigations to users quickly, perform detailed analysis to ensure the root cause is addressed and share as much technical details as possible.
https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html
https://therecord.media/google-zero-days-report-2022
This segment was created for the It’s 5:05 podcast