Google's internal security team has warned that zero-day security threats are becoming a bigger risk than ever.
In its annual summary of the zero-day threat landscape, the Google Project Zero team noted that 58 separate threats had been identified in 2021, the highest number seen since research began in 2014.
This represents an increase from the 25 exploits discovered in 2020 and nearly double the number seen in most years covered by the survey.
zero day threat
Somewhat discouragingly, the team noted that the methodology used by zero-day attackers does not seem to have changed or evolved much from previous years, with the same bug patterns and exploitation techniques still proving popular.
“When we look at these 58 0 days used in 2021, we instead see 0 days similar to previous publicly known vulnerabilities,” Google wrote. “We expect that to be successful, attackers must find new classes of vulnerability bugs in new attack surfaces using never-before-seen exploitation methods. Overall, that's not what the data has shown us this year.
However, Google also points out that the increase in reported zero days may actually be a good thing, as it means more threats are reported and publicly disclosed.
"We conducted and shared this analysis to make day 0 more difficult," Maddie Stone of the Project Zero team wrote in a blog post announcing the results. "We want to make it more expensive, more resource intensive, and generally more difficult for attackers to use zero-day capabilities."
"2021 has highlighted how important it is to remain relentless in our quest to make it harder for attackers to exploit users with 0 days. We have heard time and again how governments target journalists, minority populations, politicians, human rights defenders and including security researchers from around the world.
"The decisions we make in the security and technology communities can have a real impact on society and the lives of our fellow human beings."
Overall, Google says the industry appears to be getting better when it comes to "detection and disclosure" of zero-day exploits, but cautions that these are still "baby steps."
The company calls for a number of steps to accelerate progress, including establishing an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest a vulnerability in their product is being exploited.
Google also says that vendors and security researchers should do better to share samples or exploit techniques, and that more efforts are also needed to reduce memory corruption vulnerabilities or render them inoperable.