Based on Google, it's too straightforward for hackers to seek out new vulnerabilities
In December 2018, researchers at Google discovered a group of hackers targeting Microsoft's Internet Explorer. Although the redevelopment shut down two years ago, it's such a common browser that if you can find a way to hack it, you might have an open door to billions of computers.
The hackers looked for and found previously unknown bugs known as zero-day vulnerabilities.
Soon after they were discovered, the researchers saw that an exploit was being used in the wild. Microsoft has released a patch and fixed the bug. Another similar vulnerability was identified in September 2019 that was exploited by the same hacking group.
Further discoveries in November 2019, January 2020 and April 2020 led to at least five zero-day vulnerabilities from the same defect class being exploited in a short period of time. Microsoft has issued several security updates: some failed to resolve the vulnerability, while others required minor changes that required only a line or two to modify the hacker's code to make the exploit work again.
"Once you understand any of these errors, just change a few lines and go back to work for zero days."
This saga symbolizes a much bigger cybersecurity problem. According to new research by Maddie Stone, a security researcher at Google, it is far too easy for hackers to continue to exploit insidious zero-days because companies do not consistently do a good job closing errors and gaps.
Research by Stone, who is part of a Google security team called Project Zero, reveals several examples in action, including issues Google itself had with its popular Chrome browser.
"What we have seen in the entire industry: Incomplete patches make it easier for attackers to exploit users within zero days," said Stone on Tuesday at the Enigma security conference. "We don't require attackers to develop all new classes of defects, develop a brand new exploitation, and look at code that has never been examined before." We allow reuse of many different vulnerabilities that we knew about before. "
Low hanging fruits
Project Zero works within Google as a unique and sometimes controversial team dedicated exclusively to the search for enigmatic zero-day errors. These bugs are coveted and valued more than ever by hackers of all kinds – not necessarily because they're harder to develop, but because they're more powerful in our hyperconnected world.
During its six-year lifespan, the Google team has publicly tracked over 150 major zero-day errors. In 2020, the Stone team documented 24 zero days that were being exploited – a quarter of which were extremely similar to the previously reported vulnerabilities. Three were incompletely patched, which meant that only a few changes to the hacking code were required for the attack to continue working. Many such attacks, she says, involve fundamental flaws and "low hanging fruit".