A quarter of zero-day exploits discovered last year could have been avoided if vendors had taken a more methodical and comprehensive approach to patching, according to Google.
Project Zero security researcher, Maddie Stone, argued in a blog post yesterday that 25% of zero-days spotted in 2020 were closely related to previously publicly disclosed vulnerabilities.
This means that incomplete patches issued by vendors are effectively allowing attackers to craft follow-up zero-days more easily, in some cases simply by changing a line or two of code.
“A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive,” Stone explained.
“When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we’re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths. Similarly, security researchers are often reporting bugs without following up on how the patch works and exploring related attacks.”
She detailed six of the 24 zero-day, browser-based exploits detected last year which were closely related to previous publicly disclosed bugs, and a further three vulnerabilities from 2020 and 2019 which were exploited in the wild but not properly fixed.
To improve the situation, vendors will need to focus on investment, prioritization and planning, Stone argued.
“Exactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing and partnerships,” she noted.
“While the idea that incomplete patches are making it easier for attackers to exploit zero-days may be uncomfortable, the converse of this conclusion can give us hope. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit zero-days.”