In December 2018, researchers at Google spotted a group of hackers staring at Microsoft’s Internet Explorer. While the new development was closed two years ago, it’s such a common browser that if you find a way to hack it, you’ll have an open door to billions of computers.
Hackers were looking for and finding previously unknown flaws known as zero-day vulnerabilities.
Shortly after the researchers were identified, they found that an abuse was used in the wild. Microsoft released a patch and fixed the flaw. In September 2019, another similar vulnerability was found to have been exploited by the same hacking group.
Further discoveries in November 2019, January 2020, and April 2020 soon exploited at least five zero-day vulnerabilities of the same bug class. Microsoft has released multiple security updates: some could not actually fix the targeted vulnerability, while others required minor changes to the hacker’s code that required only one or two lines to be changed for the attack to work again.
According to a new study by Maddie Stone, a security researcher at Google, this myth epitomizes a much bigger problem in cybersecurity: it is very easy for hackers to continue taking advantage of the sneaky zero days because companies are not doing a good job permanently. closing flaws and gaps.
Research by Stone, part of a Google security team known as Project Zero, highlights many examples of this in practice: Problems of Google itself owned the popular Chrome browser.
“We’ve seen disruptions in the industry: Incomplete patches make it easier for attackers to exploit users with zero days,” Stone said at the Enigma security conference on Tuesday. “We don’t want attackers to find all new error classes, develop brand new exploitation, look at code that has never been researched before. We allow the reuse of many different vulnerabilities we knew about. “
Low hanging fruit
Project Zero works within Google as a unique and sometimes controversial team devoted to hunting down completely mysterious zero-day flaws. These bugs are admired by hackers of all kinds and are valued more than ever – not because they have become difficult to develop, but because they are stronger in our hyperconnected world.
Over its six-year lifetime, Google’s team has publicly monitored more than 150 major zero-day errors, and in 2020, Stone’s team documented 24 zero-days exploited – a quarter of which were extremely similar to the vulnerabilities previously disclosed. Three of them were patched incompletely, which meant that only a few changes to the hacker’s code were required for the attack to continue working. Most of these types of attacks, he says, involve basic errors and “low drooping fruit”.