Despite a surge in the discovery of in-the-wild zero-day attacks, security investments into OS and software exploit mitigations are forcing attackers to find new attack surfaces and bug patterns.
That’s the takeaway from a new Google report on zero-days documented in 2023 that shows a massive reduction in use-after-free and JavaScript engine exploitation.
“Across browsers and operating systems, investments into exploit mitigations are impacting attackers and the types of vulnerabilities that they’re able to use,” according to the report that combines data from Google’s TAG, Mandiant and Project Zero units.
“Out of the eight in-the-wild zero-days targeting Chrome, none of the vulnerabilities were in the Document Object Model (DOM), and not a single one was a use-after-free,” the researchers noted, chalking up the trend to the release of multiple exploit mitigations to address the primary vulnerabilities and exploitation techniques.
“In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero days in-the-wild,” the company said, noting that both Chrome and Apple’s Safari have made exploiting JavaScript Engine vulnerabilities more complex through V8 heap sandbox and JITCage mitigations.
“Exploits must now include bypasses for these mitigations instead of just exploiting the bug directly,” the group said.
Apple’s experimental iOS Lockdown Mode feature, which significantly reduces attack surfaces by limiting certain device functionality, is also making attackers’ lives more difficult, Google said.
“If enabled, Lockdown Mode would have protected users from the majority of the exploitation chains discovered targeting iOS and attackers would not have been able to successfully compromise their targets,” the researchers noted.
Google’s researchers believe the data shows that investments are making “a real impact on the safety of users and forcing attackers to spend the time to research new attack surfaces and find new bug patterns.”
Google said its teams monitored 97 zero-day vulnerabilities exploited in the wild in 2023, a 50% jump over the 62 bugs exploited the year before. Crunching the numbers, the researchers found that attackers have shifted focus to third-party components and libraries that provide broad access to multiple targets of choice.
“Vulnerabilities in third-party components tend to be of higher value and more useful than vulnerabilities in the product’s first party code because they can affect more than just one product. Therefore, an attacker would only need one bug and one exploit to affect two different products instead of developing and maintaining two different ones,” the researchers noted.
“While we have seen this a couple of times in past years as well, it occurred more often in 2023, especially across browsers,” they added.
The 2023 zero-day data shows that commercial spyware vendors are experts at browser and mobile device exploitation while hacking teams linked to China lead the way for government-backed exploitation.
Google said it tracked 61 in-the-wild zero-days that specifically targeted end-user platforms and products, including mobile devices, operating systems, browsers, and other applications.
The researchers also noted a significant surge in zero-days in-the-wild targeting enterprise specific technologies like appliances from Barracuda, Cisco, Ivanti and Trend Micro.
In all, Google said it observed exploitation of nine vulnerabilities affecting security software or devices that provide a valuable target for attackers because it often runs on the edge of a network with high permissions and access.
Related: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem?
Related: US Gov Says Software Measurability is ‘Hardest Problem to Solve’
Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware
Related: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation
