According to Google security researcher Maddie Stone, software developers should stop delivering faulty zero-day patches. In a presentation during the USENIX’s Enigma 2021 virtual conference, the researcher shared an overview of the zero-day exploits detected last year.
Zero-Day Flaws Not Patched Properly by Software Vendors
Zero-day vulnerabilities can be exploited for more extended periods of time, making them rather dangerous. Twenty-four such flaws were detected in 2020, four more than the number detected in 2019.
Stone noticed that six out of the 24 zero-days of 2020 were variants of previously disclosed flaws. Furthermore, three of the flaws were patched incompletely, making it easy for threat actors to create exploits. The problem is that releasing partial patches creates opportunities for hackers to carry out their malicious attacks.
How did the researcher reach that conclusion?
“We’re not requiring attackers to come up with all new bug classes, to develop brand new exploitation, to look at code that has never been researched before. We’re allowing the reuse of lots of different vulnerabilities that we previously knew about,” she said during her presentation.
Some of the cases involving repeated use of the same exploits include attacks against Microsoft’s legacy JScript engine in the Internet Explorer browser. Microsoft had to address the CVE-2018-8653 bug after receiving a report from Google about a new vulnerability being used in targeted attacks.
The vulnerability could allow arbitrary code execution. Depending on the user’s privileges, an attacker could perform a variety of malicious activities such as install programs, view, change, or delete data, or even create new accounts with full user rights.
Then comes the CVE-2019-1367 zero-day, allowing threat actors to perform remote attacks to gain access over a system. The vulnerability was a scripting engine memory corruption issue discovered by Clément Lecigne of Google’s Threat Analysis Group.
Another zero-day, CVE-2019-1429, was disclosed in November 2019, followed by another one in January 2020, with CVE-2020-0674. The final patch of the zero-day series happened in April 2020, with the patch addressing CVE-2020-0968.
According to Google’s threat analysis, the same attacker exploited all four of the zero-days mentioned above. And they are quite related to one another, Stone’s research proves, leading to a use-after-free condition.
Comprehensive Patches Needed
“We need correct and comprehensive patches for all vulnerabilities from our vendors,” Stone pointed out in her presentation. The researcher also challenged her colleagues to give a hand by performing variant analysis to reassure a thorough and comprehensive patch. By doing so, researchers and threat analysts will make it much more challenging for attackers to exploit vulnerable code.