Hello again, Kyle Fox here. This week we have a bit of Google related news and helpful regulatory updates from the SEC.
Google Year in Review of 0-Days Exploited in the Wild
Google has published its review of 0-days being exploited in the wild for 2022. Unsurprisingly one of the notable trends they saw is that 40% of 0-days discovered were variants of previous 0-day vulnerabilities. If you have been paying attention to trends in vulnerabilities this would be expected, as researchers learn new techniques from previous vulnerabilities and often when one mistake was made in writing the software, similar mistakes were probably made elsewhere. As they say, history rhymes.
Another notable conclusion from the report is that long patch times on Android have been leading to exploits getting out in the wild before patches from many manufacturers. The interaction between the operating system being maintained by the Android team and various levels of manufactures often requires vulnerabilities in device drivers to be bounced between large and notoriously slow engineer... before they land on the average users phone. While this is really bad, it reminds me of the embedded IoT vulnerability iceberg lurking somewhere out there, seeing as those manufacturers rarely issue updates.
A third notable conclusion and one we have seen at F5 is that more and more researchers are finding the same vulnerability at the same time. We have been noticing this trend as the rhyming of vulnerabilities leads researchers to concentrate on the same areas of software they are investigating. The dark side of this conclusion is that where researchers are finding these, the attackers are probably finding the same.
Google and Apple Rolling Out Remote Attestation for Browsers