What's behind the explosion in zero-day exploits?

A figure in a hooded jumper against a red and blue background
(Image credit: Shutterstock)

You’re unlikely to find a better precis of the ongoing cyber security struggle than DIVD researcher Victor Gevers' comments on how Kaseya handled its recent cyber attack: “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Thousands of vulnerabilities are discovered each year, but hackers are only able to exploit a sliver of these. When these efforts are successful, however, the consequences are often devastating.

Hundreds of thousands of businesses are still reeling from the Microsoft Exchange Server and SolarWinds Orion Platform hacks, for instance. While some attacks are opportunistic, and rely on businesses failing to apply patches, many occur because hackers unearth and exploit previously unknown vulnerabilities. The number of zero-day attacks in 2021 has seen a frightening surge, with 37 recorded as of 2 August.

This is a record-breaking year for zero-day exploits

Data compiled by Google’s Project Zero, since it was founded in July 2014, reveals that 2021 is the biggest year on record for ‘in the wild’ zero-day exploits. It’s important to note that while there have been fewer vulnerabilities detected overall so far in 2021, as shown on the second tab, there have been far more exploits than in previous years.

Between 2015 and 2020, the count remained stable, with a dip to 12 in 2018 serving as an outlier. As of 3 May, however, the industry detected more exploits in 2021 than the entirety of last year, with the total count surging to 37 based on the latest data. While there are certainly more vulnerabilities reported than ever before, according to the crowd-sourced vulnerability database, VulDB, we can see there’s no real correlation between total vulnerabilities and in-the-wild exploits.

So what’s so special about 2021? One reason Project Zero researchers Maddie Stone and Clement Lecigne offer is better detection and disclosure policies. Both Apple and Android, for instance, recently began annotating flaws in security bulletins to include notes if there’s evidence a vulnerability may have been exploited. When vendors don’t include such notes, the only way we can learn of successful exploits is if the researchers who detect them publish this information themselves.

An Android figurine on a laptop with developer code on the display

(Image credit: Shutterstock)

The growth of mobile platforms has led to more systems that hackers are capable of targeting

There’s also a possibility that attackers are relying more on zero-day exploits as security and patching policies tighten up. “The increase and maturation of security technologies and features mean that the same capability requires more [zero-day] vulnerabilities for the functional chains,” Stone and Lecigne write. “For example, as the Android application sandbox has been further locked down by limiting what syscalls an application can call, an additional [zero-day] is necessary to escape the sandbox.”


X-Force Threat Intelligence Index

Top security threats and recommendations for resilience


The growth of mobile platforms has also led to an increase in the number of products that hackers want capabilities for. There are also more commercial entities selling access to zero-days than in the 2010s, such as the recently exposed Candiru, which built a tool that exploited two Microsoft zero-days. Finally, with security postures maturing, attackers need to rely on zero-day exploits rather than less sophisticated means, such as convincing people to install malware. “Due to advancements in security, these actors now more often have to use [zero-day] exploits to accomplish their goals,” the researchers add.

Exploits are surging, but they’re less severe

As for measuring the impact these attacks have, we can see a decline in the severity of the consequences of exploitation. Irrespective of the number of detections, severity, measured by the common vulnerability scoring system (CVSS), has declined, despite an onslaught of headlines highlighting devastating attacks throughout 2021.

CVSS is a standardised metric the security industry uses to determine how dangerous any vulnerability is, using several factors to generate a score out of ten. The three main factors taken into account are the scope of an attack, what outcome any exploitation is likely to have, and how difficult an attack might be to execute.

Analysing the CVSS metric assigned to all 180 flaws exploited in the wild since July 2014, and plotting a rolling average of the last five exploited zero-days, we can see the severity of abused flaws is in a state of decline. This is also reflected in the average CVSS score of vulnerabilities exploited per calendar year.

This could be explained by the notion that software development, on the whole, is in a much healthier place than ever before. As Gartner’s research vice president for network security, Laurence Orans puts it, coding is better and the software development process has been strengthened over the last several years. Analysis of the severity of all vulnerabilities by VulDB shows this is true, but only to an extent. There has indeed been a steady decline in the severity of all vulnerabilities between 2016 and 2021, but it’s far less pronounced than the decline in the severity of exploits detected in the wild.

Jake Moore, a cyber security specialist with ESET, meanwhile, tells IT Pro this data suggstes security teams are slowly clawing back control over what has previously been considered a Wild West of the digital landscape. “Cyber security can’t be won overnight and it can even take years to minimise the lead cyber criminals have,” he says. “A multi-agency approach on tackling cybercrime with better staff awareness programs all help towards the end goal of reducing the impact of a cyber attack – but this takes time. Cyber criminals are always sharpening their tools and honing their craft, but let’s not forget the huge amount of work we are all doing to protect against these attacks. Over time, I would suggest this trend will continue until it reaches a plateauing score that delivers strong attacks, but where the majority of organisations are able to withstand the most common or even most severe.”

Microsoft is the most targeted vendor

Hackers have exploited more Microsoft flaws in the wild than they’ve targeted vulnerabilities in products developed by all other vendors combined, with 52% of the 180 exploited flaws embedded in Microsoft software. The next most-targeted vendor is Adobe, with 27 flaws.

A further breakdown shows that Windows is the most targeted product, with 43 zero-day exploit detections, followed by Internet Explorer (21) and Microsoft Office (13). There are a further eight flaws that fall under the Windows Kernel category. It chimes with findings by Recorded Future, published in February, which showed seven of the top 10 most commonly exploited flaws during 2020 were found in Microsoft products. This is in line with the previous year’s figures of eight in ten.

Moore says this is a phenomenon that mirrors the urban myth that Mac systems didn’t get computer viruses. Mac, he explains, has always had vulnerabilities, but cyber criminals target the masses and aim for what will be the most lucrative avenue. “The majority of businesses have used Windows for years,” he says. “It’s far more lucrative to target the mainstream operating system; a fact that remains the same today. This doesn’t necessarily make Microsoft products more vulnerable, it’s simply why they are targeted.”

The Windows 11 Desktop in dark mode

(Image credit: Microsoft)

Hackers will be extremely likely to attempt to exploit Microsoft's next OS when it's released in 2022

Orans agrees, suggesting the payoff in targeting Microsoft software, and Windows systems in particular, is much greater. “Because Microsoft, and Windows, are so pervasive, your chances of success are greater,” he says. “If you go after Linux systems, you get a smaller target. If you go after Apple, there’s a smaller target. The install base of Microsoft is greater than the other software vendors, whether it’s Apple or the Linux machines out there. The target is larger if you go after Microsoft.”

Memory remains the exploitation vehicle of choice

By some distance, memory issues tend to be at the heart of most zero-day exploits detected, with 127 of the 180 flaws tracked relating to memory corruption.

This parallels research Microsoft published in 2019, which revealed roughly 70% of all vulnerabilities it addresses are related to memory safety. These comprise buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use-after-free, and double-free bugs. They occur when software, accidentally or intentionally accesses system memory in a way that exceeds its allocated size and memory addresses.

Notably, it’s a statistic that’s hardly ever dropped over the last decade, Moore says, and is often because memory is a core functionality of a computer, storing vital and sensitive data, such as password information. “Windows was mostly written in C+ or C++, which are generally weaker memory programming languages,” he explains. “If there is a mistake in the code by a developer, a malicious actor could easily take advantage of this and target the host computer. Attackers target the weakest link and if the programming language of the memory itself remains the easiest point of entry, then we are going to see this attack vector continue to be targeted.”

Could more zero-day exploits be a good thing?

You might be forgiven for believing the security industry is losing the fight, given a series of massive cyber attacks that took place towards the end of 2020 and in the first half of 2021. It’s also particularly demoralising that REvil exploited one of these – the Kaseya VSA vulnerabilities – just days before the vendor was due to plug these holes.

Project Zero researchers Stone and Lecigne, however, suggest the recent surge in detections might actually serve as evidence that the security industry holds the upper hand. Attackers needing more [zero-day] exploits to maintain their capabilities is a good thing – and it reflects increased cost to the attackers from security measures that close known vulnerabilities,” they write. There’s a caveat, however, that the increasing demand for such capabilities, and the new commercial ecosystem, represents a fresh challenge for the security industry.

The NSO Group logo on a smartphone that's been placed on a keyboard

(Image credit: Shutterstock)

The Pegasus spyware, published by NSO Group, exemplifies this expanding commercial ecosystem

“Meanwhile,” they add, “improvements in detection and a growing culture of disclosure likely contribute to the significant uptick in [zero-days] detected in 2021 compared to 2020, but reflect more positive trends.

“Those of us working on protecting users from [zero-day] attacks have long suspected that overall, the industry detects only a small percentage of the zero-days actually being used. Increasing our detection of zero-day exploits is a good thing – it allows us to get those vulnerabilities fixed and protect users, and gives us a fuller picture of the exploitation that is actually happening so we can make more informed decisions on how to prevent and fight it.”

Moore echoes these sentiments, suggesting that hackers have always relied on zero-days as the best way to exploit a system, and the number of detections could quite possibly be irrelevant. “What is important is the amount of resources, time, and money that are invested in cyber security, which is improving overall,” he says. “We aren’t losing the fight in infosecurity, and defences are getting better. This helps force decision-makers become more aware and increase protection against more sophisticated attacks.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.