Google has reported a significant surge in zero-day vulnerabilities, with an increase of over 50% from 2022 to 2023. The rise in bugs found in third-party components is particularly concerning.
Google’s 2023 Review: We’re All in This Together
The tech giant’s 2023 review, titled ‘We’re All in This Together’, brings together the findings of its Threat Analysis Group (TAG) and Mandiant research teams. The teams found a total of 97 zero days in 2023, just short of the record 106 detected in 2021.
Investments in Security by End-User Platform Vendors
The report highlights the “notable investments” made by end-user platform vendors such as Apple, Google, and Microsoft to curb the number of exploitable zero days. These efforts have rendered certain types of threats “virtually non-existent” today.
Enterprise-Focused Technologies: A Different Story
However, the situation is starkly different for enterprise-focused technologies. Google observed a 64% year-on-year increase in zero days in this sector, along with a general uptick in the number of vendors targeted since at least 2019. The report points out a specific focus on security software and appliances over the past year.
Increasing Threats to Enterprise Technologies
“On the enterprise side, we see a wider variety of vendors and products targeted, and an increase in enterprise-specific technologies being exploited,” the report states.
The report emphasizes the importance of quick discovery and patching of bugs to shorten the lifespan of the exploit and increase the cost for attackers to maintain their capabilities. It calls for the industry to apply these lessons to the wider ecosystem of vendors now finding themselves under attack.
Google’s Key Takeaways
The report also highlights several notable trends:
- Attackers are shifting their focus to third-party components and libraries, as exploiting these vulnerabilities can scale to affect more than one product.
- Commercial spyware companies were behind 75% of zero days targeting Google products and Android ecosystem devices in 2023, and 60% of zero days in browsers and mobile devices overall.
- China was responsible for more government-driven zero days than any other state in 2023, with a total of 12.
- Financially motivated actors accounted for just 10 zero-days, fewer than the number observed in 2022.