This is the way Google says we can all cut down on security threats

Hacker
(Image credit: Shutterstock)

Security researchers at Google have called 2020 the year of zero-day exploits owing to the large number of these vulnerabilities that were detected and fixed last year.

In a year-in-review post, the researchers shared that while they are still a long way off from detecting the zero-day exploits in the wild, surprisingly a quarter of them stem from previously disclosed vulnerabilities and could have easily been prevented.

“1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored,” wrote Maddie Stone, a security researcher in Google’s Project Zero team.

Fool me twice

According to Stone, last year Project Zero unearthed 24 zero-day exploits that were being actively used in the wild.

In her post, she breaks down six of them to reveal how they were related to previously disclosed vulnerabilities. "Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit," she writes.

As she breaks down the six vulnerabilities the team discovered in Chrome, Firefox, Internet Explorer, Safari, and Windows, Stone notes that they were the result of improper fixes. Surprisingly, her analysis also revealed that three of the vulnerabilities that were patched in 2020 were again “either not fixed correctly or not fixed comprehensively.”

Stone asks vendors to make all the investment required to release correct and comprehensive patches for vulnerabilities that cover all its variants: “Many times we’re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths.” 

Stone also puts some onus on the security researchers as well who should do a better job of following up and testing the patch. 

“We would really like to work more closely with vendors on patches and mitigations prior to the patch being released,” she suggests, adding that “early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.”

Via: ZDNet

TOPICS
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does