Zero-day attacks are putting the squeeze on Apple, Google, and Windows devices

iOS, Windows, and Chrome all have zero-day vulnerabilities that hackers are routinely going after.
17 September 2021

Private Israeli firm NSO Group denied media reports its Pegasus software is linked to the mass surveillance of journalists and rights defenders. Now spyware like Pegasus has been found to threaten devices as well. (Photo by JOEL SAGET / AFP)

  • Google team Project Zero has tallied 44 zero-days this year alone — hackers likely discovered them before researchers did
  • 2020 attacks only involved Android and Windows exploits, while more recent attacks also affected the iOS devices

When a newly discovered software exposure is identified and there is no patch or update available at the time of the discovery, it is called a zero-day vulnerability or a zero-day incident. They are also referred to as zero-day attacks because the developers and the experts have no time, or have ‘zero days’ since finding a solution in the form of a patch or an update.

Once considered highly valuable cyberweapons in the arsenal of elite government hackers, publicly disclosed zero-day exploits have been on a sharp rise. Project Zero, a Google team devoted to identifying and cataloging zero-days, has tallied 45 this year alone — hackers had likely discovered them before researchers did. That itself is a sharp rise from last year, which saw 25 zero-days recorded. Notably, the number has increased every year since 2018.

Just this week, Apple, Google, and Microsoft all pushed security fixes for vulnerabilities that hackers are actively exploiting — a zero-day patching extravaganza featuring some of the biggest tech giants. Google researchers have been warning users with iOS, Android, and Windows devices to be cautious of the growing vulnerabilities caused by zero-day perpetrators.

Have zero-day attacks been around for a while?

Data compiled by Google’s Project Zero since it was founded in July 2014, reveals that 2021 is the biggest year on record for ‘in the wild’ zero-day exploits. Between 2015 and 2020, the count remained stable, with a dip to 12 in 2018 serving as an outlier. 

In February 2020, a group of hackers exploited four vulnerabilities using different types of attacks. Discovered by Google’s Threat Analysis Group (TAG) and Project Zero researchers, the four zero-days were used as part of three targeted malware campaigns that exploited previously unknown flaws in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple’s Safari.

Google then released new details about four zero-day security vulnerabilities A researcher from Project Zero, Maddie Stone, stated that the notorious team of hackers are behind past and recent undetermined attacks, which have involved exploitations of iOS devices along with Android and Windows-based gadgets.

This year, Chinese hackers were caught using zero-days in Microsoft Exchange to steal emails and plant ransomware. In July, ransomware criminals used a zero-day in software sold by the tech company Kaseya to bring down the networks of more than 1,000 companies.

Most recently, researchers raised the alarm about a big zero-day attack: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple’s just-released, emergency software update.

After researchers at Citizen Lab, a cybersecurity watchdog at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with an advanced form of the NSO spyware, Apple hurriedly issued emergency software updates for a critical vulnerability affecting all its hardware — iPhones, Mac Books, and Apple Watches — early this week.

The spyware, called Pegasus, used a novel method to invisibly infect Apple devices without victims’ knowledge. It is known as a “zero-click remote exploit,” and is considered the Holy Grail of surveillance because it allows governments, mercenaries, and criminals to secretly break into someone’s device without tipping the victim off.

Using the zero-click infection method, Pegasus can then turn on a user’s camera and microphone, record messages, texts, emails, calls — even those sent via encrypted messaging apps like Signal — and send them back to NSO’s government clients worldwide.

The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since at least March. Almost paradoxically, the rise in zero days reflects an online world in which targeted individuals are more vulnerable, while the anonymous masses are somewhat safer.

In a report by Security Magazine, Lookout Security Solutions senior manager Hank Schless said, “Google has been able to patch vulnerabilities quickly because Chrome is a cloud-based solution across Windows, Mac, Android, iOS, and other devices. This is a good example of why it’s important to use a cloud-based solution rather than legacy apps that are supported by on-premise infrastructure.”