Report: Zero Day Bugs On The Rise

John Lister's picture

Two separate reports point to a spike in zero-day bugs. That's when would-be attackers trying to exploit a bug have a head-start over developers who are trying to fix and patch it.

When software developers discover a security vulnerability (or are told about it by responsible researchers), they are in a race against time to find and roll out a fix before attackers discover it and start trying to take advantage. Often they'll only have a matter of days.

A zero-day bug is defined as one whose existence is (or was) discovered by hackers before it is known to the software developers. That means the developers have "zero days" to work on a fix before the attacks began.

Bugs More-Than-Doubled

Two reports suggest the number of zero-day bugs rose dramatically in 2021 compared with 2020. Security company Mandiant tracked a rise from 30 in 2020 to 80 in 2021, while Google's Project Zero had a rise from 25 to 58 respectively. (Source: arstechnica.com)

The precise number is hard to pin down. Mandiant's is higher as it includes bugs affecting "internet-of-things" devices (such as a smart refrigerator), rather than just traditional computers and mobile devices. It's also impossible to know how many zero-day bugs have yet to be discovered by security researchers and developers.

Indeed, researchers are divided on whether there has been a genuine rise in such bugs or its simply that people are doing a better job of finding out about them or that major software companies are more willing to admit when a zero-day happened.

Financial Motivation

One possible change is how would-be attackers are handling zero-days, and who they are. Some who discover bugs will immediately strike with an attack, while others will "horde" the knowledge of the vulnerability and wait to use it as a weapon for maximum impact.

The latter approach has traditionally been associated with government-backed hacking groups looking to cause international disruption or use the exploits for intelligence gathering.

The recent rise in known zero-day bugs may be because a wider range of attackers are using them. This includes gangs using them for financial attacks such as ransomware, along with people who aren't interested in zero-day bugs for their own use, but can sell the details to other attackers. (Source: therecord.media)

What's Your Opinion?

Are you concerned about this apparent rise in zero-day bugs? Do you trust software developers to find and fix security holes quickly enough to keep you safe? Should governments exploit security bugs for national advantage rather than tell software developers immediately to protect users?

Rate this article: 
Average: 4.8 (6 votes)

Comments

buzzallnight's picture

Are you concerned about this apparent rise in zero-day bugs?
YES!

Do you trust software developers to find and fix security holes quickly enough to keep you safe?

NO

Should governments exploit security bugs for national advantage rather than tell software developers immediately to protect users?

No

Should OUR OWN government exploit security bugs for national advantage rather than tell software developers immediately to protect users?

Should be against the law!!!!!!!!!!!!!

Does the fact that a much higher percentage of programming is done by low wage legal and illegal immigrants have anything to do with the rise in zero days??????????????

buzzallnight's picture

Mac and Chrome browsers were considered to be near perfect.

So I just laughed my friken ass off over the 30 new bugs found in Chrome

Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha!