Google has addressed the reasons for all of the Zero Days discovered in Chrome recently, citing more vendor transparency, evolved attacker focus, the increased use of vulnerabilities in attacks and the increasing complexity of software.
According Project Zero, Google’s vulnerability reporting entity, there have been 25 zero day vulnerabilities in Google Chrome since 2014, including 14 reported just last year and eight in 2020.
For browsers, Google Chrome has contained the most vulnerabilities over the last three years, with a handful each for Internet Explorer, Firefox and WebKit.
According to a Google security blog, the reason is largely twofold: cybersecurity professionals and vendors such as Google are gaining more visibility into exploitation by attackers, enabling vendors to fix security bugs before they cause widespread issues.
Second, there are simply just more exploits in the wild.
Expanding on that further, Google points to four main factors for the increase in exploited zero day bugs in Chrome, including vendor transparency, evolving attack techniques, the increased use of security bugs in attacks and the growing complexity of software.
The company says most major browser providers have increased transparency and are publishing details of security bugs in update releases, making exploited zero days more visible to the public.
Secondly, Google says hackers are choosing to attack Chrome with greater regularity due to the company removing the easily exploitable Flash from Chrome, making the browser the primary target. In addition the Chromium engine is very popular, and Microsoft Edge switched to the engine in 2020, giving bad actors the ability to target a greater percentage of users.
According to Google, attackers are also using multiple bugs to accomplish malicious activities, whereas in previous years, just one vulnerability was required to compromise systems because web pages lived together in a single renderer process. Now, attackers need to use several bugs due to projects such as Chrome’s Site Isolation.
Lastly, software is becoming more complex and browsers are mirroring the complexity of operating systems, including access to peripherals, filesystem, 3D rendering and GPUs. That means more vulnerabilities.
Google says it is taking several steps to address the zero days in Chrome, including strengthening Site Isolation, preventing attackers from using JavaScript just-in-time compilation bugs, preventing exploitability of use-after-free bugs and more. However, those are long-term projects with engineering challenges.
The company advises IT professionals to keep auto-update on and familiarize themselves with the added enterprise policies and controls that can be applied to Chrome within the organization.
For more information, read Google’s blog.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply