Google: 0-Day Bugs Down, But Risk Still High

The number of 0-day bugs, which give hackers a dangerous advantage, fell in 2022 according to Google. However, the company warns this may risk misleading complacency that forgets other factors.

The figures come from Google's Threat Analysis Group, which aims to track, identify and report security bugs, regardless of the software or hardware concerned. The logic is that the better Internet security is overall, the better it is for an Internet-dependent business such as Google.

For the past nine years, it's put together an annual tally of 0-day bugs. While definitions vary, Google classes them as bugs which attackers have discovered and begun actively exploiting before the relevant developers can issue an update. That significantly increases the number of potential victims. (Source: trendmicro.com)

The figure for 2022 was 41, the second highest Google has recorded - down from 69 in 2021. However, it insists the drop is not an unmitigated success. (Source: blog.google)

Patches Too Slow

One problem is that the delays in patching Android devices (which are usually updated by individual manufacturers) mean that many remain vulnerable even once a bug loses its 0-day status.

Another is that attackers appear to have been concentrating on so called "0-click exploits" that don't require any action by the victim to trigger. Google notes these usually involve targeting something other than the browser itself.

Google also looked at the underlying code of the 0-day exploits and says the findings are a matter of perspective. The bad news is that more than 20% of the exploits in 2022 were variants of 0-day bugs seen in the previous two years. That suggest many "fixes" worked more as a band-aid than treating the underlying vulnerability.

One Fix Beats Multiple Attackers

The good news is that attackers remain uncoordinated and competitive, with many working on the same vulnerabilities. That means fixing a 0-day bug will often block the efforts of multiple attackers, including ones whose exploits hadn't yet been spotted.

Google has three main recommendations for boosting security across the industry. It wants quicker patching of bugs. It wants fixes to be broader rather than precisely targeted, reducing the chances that attackers simply find a different variant of the same vulnerability. And it wants software makers and security firms to be more open and share details of attacks.

What's Your Opinion?

Do you share Google's view that software patches are too slow to best mitigate the risk of attacks? Should security firms go public with bugs quicker or does that risk tipping off would-be attackers? Should Google have given itself the ability to send security updates to all Android phones, regardless of who made them?