Google Project Zero detected record high 0-day exploits in 2021, but it's not all bad news


Level 62
Thread author
Top poster
Content Creator
Apr 24, 2016
Google's Project Zero security team has published its annual report on 0-day exploits, covering the year 2021. It has also compared this information against its historical data, dating back to 2014. Its analysis has resulted in a bunch of interesting insights and questions in this domain.

For starters, Google Project Zero detected 58 0-day exploits in 2021, this is a record high since the team started tracking this metric in 2014. It is also important to note that only 25 0-day exploits were detected in 2020. That said, this does not necessarily mean that attackers have become more active and successful. Google says that attack patterns and surfaces have remained mostly static in 2021 - barring a couple of novel 0-days - so it believes that the record high figure is actually due to increased detection and disclosure.

Google praised Microsoft, Apple, Apache, and its own Chromium and Android teams for publicly disclosing vulnerabilities in security bulletins in their own products during 2021. It also noted that exploits were detected and disclosed in Qualcomm and ARM products too, but it's unfortunate that these were not detailed in the vendors' own advisories. Google Project Zero believes that there is likely a higher number of 0-day exploits, but the exact number is not known because many vendors do not disclose any discovered vulnerability.

Google Project Zero did notice an odd trend, though. Almost all 0-day exploits used publicly known bug patterns, attack surfaces, and exploit mechanisms. This means that 0-day is not hard enough for attackers yet because if that was true, attackers would be gravitating more towards newer surfaces and attack patterns.

Google has also raised a bunch of interesting questions based on its report. Among these are whether we have a lack of known 0-day exploits for some products because attacks against them aren't successful or because vendors don't disclose them publicly? Are we detecting the same bug patterns because we have become proficient in them? Only five of the 58 0-days have public exploit samples, how do we get access to more?

All of these questions and more are discussed in Google's detailed report here. Moving forward, the Project Zero team has suggested making exploit detection and disclosure a standard policy industry-wide, public sharing of exploit samples, and increased efforts to reduce memory corruption bugs, among other things.