Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Attempts to Explain Surge in Chrome Zero-Day Exploitation

14 Chrome Zero-Day Vulnerabilities Exploited in Attacks in 2021

The number of Chrome vulnerabilities exploited in malicious attacks has been increasing over the past years and Google believes several factors have contributed to this trend.

14 Chrome Zero-Day Vulnerabilities Exploited in Attacks in 2021

The number of Chrome vulnerabilities exploited in malicious attacks has been increasing over the past years and Google believes several factors have contributed to this trend.

The number of Chrome vulnerabilities exploited in the wild reached 14 in 2021, up from eight in 2020 and two in 2019. Chrome is targeted far more often than Firefox, Safari and Internet Explorer, according to data from Google’s Project Zero research unit, which tracks exploitation of zero-days.

Chrome zero-day vulnerability

One reason for the increasing number of zero-day attacks targeting Chrome is related to transparency — browser security teams and research groups are increasingly informing the public about in-the-wild exploitation of vulnerabilities. For example, Project Zero’s exploit tracker does not show any Chrome vulnerabilities being leveraged by hackers before 2019, but the internet giant admits that it “doesn’t mean exploitation didn’t happen.”

Another reason for Chrome being increasingly targeted is related to the deprecation of Flash, as well as the web browser’s popularity. Specifically, threat actors often exploited Adobe Flash vulnerabilities in web attacks before the software was killed off, and now they are focusing more on the browser itself. In addition, since the Chromium rendering engine is now also used by Microsoft for its Edge browser, finding a Chromium vulnerability allows attackers to target more systems.

Google has also attributed the rise in the number of exploited Chrome vulnerabilities to the need to chain multiple bugs for a single exploit. Seven years ago, a single vulnerability could be very valuable to attackers, but the security improvements in modern browsers have resulted in a single flaw almost never being enough for an attacker to achieve their goal.

In addition, the company has blamed this trend on the increasing complexity of the browser, which now includes many of the functions of an operating system. This complexity, while beneficial in terms of functionality, also means more bugs.

“Ultimately, we believe data is an important part of the story, but the absolute number of exploited bugs isn’t a sufficient measure of security risk,” Google argued. “Since some security bugs are inevitable, how a software vendor architects their software (so that the impact of any single bug is limited) and responds to critical security bugs is often much more important than the specifics of any single bug.”

Advertisement. Scroll to continue reading.

The company says it has been taking steps to prevent Chrome from being abused by malicious actors. These steps include faster patching of vulnerabilities and mechanisms designed to make exploitation of entire classes of vulnerabilities more difficult.

Google said recently that it paid out nearly $9 million in bug bounties last year, including roughly $3.1 million for Chrome vulnerabilities.

Only one Chrome vulnerability appears to have been exploited in the wild until now in 2022.

Related: Google Discovers Attack Exploiting Chrome Zero-Day Vulnerability

Related: Chrome 95 Update Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup

Related: Google Paid Out Over $100,000 for Vulnerabilities Patched by Chrome 99

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.