The security team of Chrome has recognized the existence of zero-day browser vulnerabilities being actively attacked a trend that seems to be growing and that the company has analyzed to understand its seriousness.
The growing trend of actively attacked vulnerabilities can be due to several factors, one of them, the most worrying, being the existence of many more ‘exploits’, that is, failures that expose the security of computer systems. The zero-day ones, moreover, are the ones that the developer does not know at the time of their identification.
On the other hand, it may be because there is a increased visibility, which Google highlights as positive because patches can be offered earlier. In this sense, those responsible for browsers have not always made public the identification of attacked zero-day vulnerabilities, although at present there is more information and it is more detailed.
The changes adopted in the browsers themselves have forced attackers to change the way they take advantage of vulnerabilities. One example is Flash, now obsolete, but once a target for cyberattackers due to the number of security holes they found and exploited, most of them zero-day.
Another limitation to the active exploitation of zero-day vulnerabilities is site isolation which prevents a browser bug from being enough to exploit, forcing attackers to “chain at least two bugs” in order to act.
“The ‘software’ has bugs“, affirm from Chome, and many of those bugs are exploitable, some even unavoidable. For this reason, the company points out that trend data “is an important part of the story, but the absolute number of exploited bugs is not a sufficient measure of security risk.”
Those responsible for Chrome cannot ensure that there was no exploitation in Chromium-based browsers between 2015 and 2018. “We acknowledge that we do not have a complete view of active exploitation, and just because we did not detect any zero days during those years, does not mean that the exploitation did not occur. The available exploitation data suffers from sampling bias,” they point out in a statement.
For this reason, they understand that it is more important “how a ‘software’ provider designs its ‘software’ (so that the impact of any individual error is limited) and responds to critical security errors”.