Google says it’s too easy for hackers to find new security holes

In December 2018, Google researchers detected a group of hackers targeting Microsoft’s Internet Explorer. Even though the new development was shut down two years earlier, it’s such a common browser that if you can figure out a way to hack it, you’ve got a potential door open to billions of computers.

Hackers searched for and found previously unknown vulnerabilities known as zero-day vulnerabilities.

Shortly after being spotted, researchers saw a feat used in the wild. Microsoft released a patch and fixed the flaw, in a way. In September 2019, another similar vulnerability was discovered during exploitation by the same hacking group.

Further discoveries in November 2019, January 2020, and April 2020 added at least five zero-day vulnerabilities exploited from the same bug class in a short period of time. Microsoft released several security updates: some failed to fix the targeted vulnerability, while others only required minor changes that only required one or two lines to change the hacker’s code. for the exploit to work again.

This saga is emblematic of a much bigger cybersecurity problem, according to a new study from Maddie Stone, a security researcher at Google: that it is far too easy for hackers to continue exploiting insidious zero days because companies don’t do a good job on a permanent basis. eliminate loopholes and loopholes.

Stone’s research, who is part of a Google security team known as Project Zero, sheds light on several examples of this in action, including problems than Google itself has had with its popular Chrome browser.

“What we’ve seen from industry cuts: Incomplete patches make it easier for attackers to exploit users with zero days,” Stone said Tuesday at the Enigma security conference. “We’re not asking attackers to come up with all new classes of bugs, develop a whole new exploitation, look at code that has never been studied before. We allow reuse of many different vulnerabilities that we knew before. “

Ripe fruit

Project Zero operates within Google as a unique and at times controversial team dedicated entirely to hunting down the enigmatic Zero Day vulnerabilities. These bugs are coveted by hackers of all stripes and prized more than ever before – not necessarily because they’re harder and harder to develop, but because, in our hyperconnected world, they’re more powerful.

Over its six-year lifespan, the Google team publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero days that were being exploited – a quarter of which were extremely similar to the vulnerabilities previously disclosed. Three were incompletely fixed, meaning it only took a few tweaks to the hacker’s code for the attack to continue to work. Many of these attacks, she says, involve basic mistakes and “fruits at hand.