Google's crack team of security researchers, Project Zero, has done its annual stocktake of without-warning security vulnerabilities, known as zero-days or 0-days, and counted a record 58 of them last year.
This compares to 25 in 2020, with the previous maximum of zero-days detected in a year being 28 in 2015. Project Zero has tracked the vulnerabilities since 2014.
Project Zero lead Maddie Stone said the increased number in 2021 is partly due to improved detection, but mainly down to attackers repeatedly being able to return to previous attack surfaces to create new vulnerabilities.
The goal of Project Zero is to make zero-days hard for attackers.
This means forcing them to start from scratch so as to expend more time and resources to discover exploitable bugs.
That strategy has not gone according to plan, Project Zero noted.
"Attackers are having success using vulnerabilities similar to what we’ve seen previously and in components that have previously been discussed as attack surfaces," Stone said.
Of the 58 zero-days in 2021, over two-thirds used memory corruption vulnerabilities, a well-known attack vector.
Only two of the 58 zero-days discovered last year, used against Apple's iOS mobile operating system, could be deemed as novel.
Other than those, "everything we saw was pretty 'meh' or standard," Stone said.
Continued concerted efforts to reduce memory corruption bugs or failing that, rendering them unexploitable, should be a priority for the industry which has plenty left to do to make zero days hard, according to Stone.
Stone also pointed to some apparent anomalies such as only two zero-days being found since 2014 for messaging apps, which are of high interest to attackers.
Since mid-2014, only one in-the-wild zero-day each has been found for macOS and Linux.
There were no in-the-wild zero-days for cloud environments, processor vulnerabilities, or those targeting phone components such as the wi-fi chip or baseband processors.
However, Project Zero questions if this is due to lack of detection or disclosure, or both.
Lack of disclosure means there could be many more zero-days lying undetected.
Stone and Project Zero gave kudos to big software houses like Microsoft, Google Chrome and Adobe, along with the Apache open source foundation, for now annotating their security bulletins to disclose if vulnerabilities reported to them had been exploited in-the-wild.
"Until we’re confident that all vendors are transparently disclosing in-the-wild status, there’s a big question of how many in-the-wild zero-days are discovered, but not labelled publicly by vendors," Stone said.