In December 2018, Google researchers detected a group of hackers who were targeting Microsoft’s Internet Explorer. Even though the new development was discontinued two years earlier, it is such a common browser that if you can figure out a way to hack it, you have a potential door open to billions of computers.
Hackers searched for and found previously unknown vulnerabilities known as zero-day vulnerabilities.
Shortly after being spotted, researchers saw a feat used in the wild. Microsoft released a patch and fixed the flaw, in a way. In September 2019, another similar vulnerability was discovered during exploitation by the same hacking group.
Further discoveries in November 2019, January 2020, and April 2020 added at least five zero-day vulnerabilities exploited from the same bug class in a short period of time. Microsoft has released several security updates: some failed to fix the targeted vulnerability, while others only required slight changes that only required a line or two to change the attacker’s code. for the exploit to work again.
This saga is emblematic of a much bigger cybersecurity problem, according to a new study by Maddie Stone, a security researcher at Google: that it is far too easy for hackers to continue exploiting insidious zero days because companies don’t do a good job on a permanent basis. eliminate loopholes and loopholes.
Stone’s research, who is part of a Google security team known as Project Zero, highlights several examples of this in action, including problems than Google itself has had with its popular Chrome browser.
“What we’ve seen from industry cuts: Incomplete patches make it easier for attackers to exploit users with zero days,” Stone said Tuesday at the Enigma Security Conference. “We’re not asking attackers to come up with all new classes of bugs, develop a whole new exploitation, look at code that has never been studied before. We allow reuse of many different vulnerabilities that we knew before. “
Project Zero operates within Google as a unique and at times controversial team entirely dedicated to hunting down enigmatic zero-day loopholes. These bugs are coveted by hackers of all stripes, and prized more than ever – not necessarily because they’re harder and harder to develop, but because, in our hyperconnected world, they’re more powerful.
Over its six-year lifespan, the Google team publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero days that were being exploited, a quarter of which were extremely similar to the vulnerabilities previously disclosed. Three were incompletely fixed, meaning that it only took a few tweaks to the hacker’s code for the attack to continue to work. Many of these attacks, she says, involve basic mistakes and “fruits at hand.”