Google revealed that 25% of the 0-days detected in 2020 are related to publicly disclosed vulnerabilities, which have been already patched. The result is worrying because one in four exploits could have been avoided by developers making better patches.
There are a few mantras in the cybersecurity world, each with its role. One of the most important is also one of the most ignored. Consumers and companies need to keep their software patched and up to date in an effort to make the attacker’s life all the more difficult. Breaching a full-patched system or network is much more complicated than one that’s full of 0-days.
“Across the industry, incomplete patches — patches that don’t correctly and comprehensively fix the root cause of a vulnerability — allow attackers to use 0-days against users with less effort,” said Project Zero’s Maddie Stone.
“When looking at the 24 0-days detected in-the-wild in 2020, there’s an undeniable conclusion: increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using 0-days.”
Google looked 24 of the most used 0-days in the wild and discovered that six of them are closely related to publicly disclosed vulnerabilities. Another three were only possible because the provided patch was insufficient, and the attackers only had to change one or two lines of code. Unfortunately, one of the issues is that companies don’t invest enough resources and time into patches, which makes the job of attackers much easier.
If there’s anything to learn from 2020’s mistakes, vendors really need to close vulnerabilities when they notify them before they are publicly revealed, but also to build better patches that force hackers to start from scratch. Also, organizations and customers should always consider updating their software as soon as possible to mitigate and fix any 0-day before attackers have a chance of using it in the wild.