Google has released a report on the prevalence of 0-day vulnerabilities, which are exploits that occur before patches are developed for the vulnerable software. According to the report, the Project Zero team uncovered 41 such vulnerabilities in 2022, which is a 40% decrease compared to the previous year when they discovered 69 0-day vulnerabilities. However, despite the decrease, the number of 0-day vulnerabilities still surpasses the average over the past six years.
The influx of 0-day vulnerabilities may be attributed to various factors. Attackers still have a need for 0-day exploits, which allows them to launch attacks using vulnerabilities that are not yet patched. Additionally, the methods used to search for such vulnerabilities have become more streamlined, making it easier for attackers to find and exploit them. Furthermore, the lack of comprehensive development in patches gives authors of exploits the opportunity to discover new attack vectors for previously known vulnerabilities.
Interestingly, more than 40% (17 out of 41) of the 0-day exploits identified in 2022 were associated with vulnerabilities that had already been publicly disclosed and corrected. This is likely due to the incomplete or poor quality of the patches, as developers often only address specific cases or create the illusion of a fix without resolving the root cause. As a result, these 0-day vulnerabilities may circumvent more thorough scrutiny and correction.