Image: ZDNet
According to data collected by Google’s Project Zero security team, there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year.
The current number puts 2020 on track to have just as many zero-days as 2019 when Google security researchers said they tracked 20 zero-days all of last year.
Details about these zero-days have been obtained from a spreadsheet managed by Google security researchers, which the company made public available earlier this year. The spreadsheet contains Google’s internal statistics about in-the-wild zero-day usage going as far back as 2014, when the company began tracking said stats.
Below we will list this year’s current zero-day vulnerabilities.
Below that, we will also summarize the most important conclusions of the Google’s first Zero-Day Year in Review report, which the company published last week, detailing 2019 zero-days and their causes.
2020 H1 zero-days
1. Firefox (CVE-2019-17026)
This zero-day was used as part of a combo with another zero-day. See below.
Patched here, in Firefox 72.0.1.
2. Internet Explorer (CVE-2020-0674)
Both of Firefox zero-day listed above and this one have been used by a nation-state hacking group known as DarkHotel, believed to be operating out of the Korean peninsula (unclear if from North Korea or South Korea). Both zero-days have been used to spy on targets located in China and Japan, hence why they were both discovered by Qihoo 360 (Chinese antivirus maker) and JPCERT (Japan’s Computer Emergency Response Team).
Victims of this campaign were redirected to a website where they’d be served either the Firefox or IE zero-day, and then they were infected with the Gh0st remote access trojan.
Patched here, in the Microsoft February 2020 Patch Tuesday.
3. Chrome (CVE-2020-6418)
This zero-day was detected exploited in the wild by Google’s Threat Analysis Group, and details about the attacks where it was used were never released.
Patched here, in Chrome version 80.0.3987.122.
4. & 5. Trend Micro OfficeScan (CVE-2020-8467 and CVE-2020-8468)
Both zero-days were discovered internally by Trend Micro staff. It is believed the zero-days were discovered while Trend Micro investigated a 2019 zero-day in the same product that was used to hack Mitsubishi Electric.
Patched here.
6. & 7. Firefox (CVE-2020-6819 and CVE-2020-6820)
Details about the attacks where these two Firefox zero-days have been used have not yet been released, although, security researchers suggested these might be part of a larger exploit chain.
Patched here, in Firefox 74.0.1.
8. & 9. & 10. (CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027)
All three bugs have been discovered and reported to Microsoft by Google TAG, and just like most Google TAG discoveries, no details about the attacks have been released — yet.
Patched here, here, and here, in the Microsoft April 2020 Patch Tuesday.
11. Sophos XG Firewall (CVE 2020-12271)
A group of hackers discovered earlier this year a zero-day in XG, a top-shelf firewall product developed by UK security firm Sophos. The zero-day, an SQL injection in the firewall’s management panel, allowed hackers to plant the Asnarok backdoor on infected systems. In an investigation, Sophos said hackers tried to deploy the Ragnarok ransomware on infected hosts once its zero-day made the news, but the company says it blocked most attempts.
Patched here.
Analysis of 2019’s zero-days
Putting aside this year’s zero-days, let’s take a look over Google’s analysis of last year’s zero-days.
The bullet list below contains Google’s primary conclusions from its 2019 Zero-Day Year in Review report, which took a thorough look at how security firms are discovering zero-days, which software products are impacted the most, why, and what are the primary causes for most zero-days.
- In 2019, Google says it detected 20 zero-days.
- Eleven of the 20 zero-days impacted Microsoft products.
- Two companies discovered half of all of 2019’s zero-days (Google discovered 7 and Kaspersky found 4).
Image: Google Project Zero
- No actively exploited zero-days have been found in Linux, Safari, or macOS since 2014, when Google began tracking this stat.
- 2019 was the first year when an Android zero-day was discovered.
- Not all zero-days impacted the latest version of the OS/software.
- Google suspects some software vendors are hiding actively exploited zero-days as mundane bugfixes.
- Google says there’s a detection bias towards Microsoft, as there are more security tools specialized in detecting Windows bugs.
- Google says it’s hard to find zero-days on mobile platforms due to walled garden and app sandbox approaches.
- 63% of 2019’s 0-day vulnerabilities were memory corruption bugs (Same 63% figure also applies to 2020 H1’s zero-days. This is also in tune with stats released by Microsoft and Google in 2019, both claiming that 70% of all Microsoft security bugs and 70% of all Chrome vulnerabilities are memory safety issues) (In 2020, 63% of all).
Google said that it plans to publish an annual Zero-Day Year in Review report each year, going forward.