Google: 2021 was a record year for zero-day hacks

The search engine behemoth published its 2021 review of Project Zero, revealing a record amount of zero-days exploits exhibited by some of the world’s largest technology companies.
21 April 2022

Google: 2021 was a record year for zero-day hacks. (Photo by Noah SEELAM / AFP)

  • The end-of-year report for 2021 confirmed that 58 zero-day hacks were discovered — the highest amount detected since Project Zero’s inception
  • It’s also highly likely that there were other zero-days that were exploited in the wild and detected, but were not mentioned by vendors, Google believes

A zero-day exploit — a cyberattack targeting a previously unknown software vulnerability — is easily one of the most severe malware threats out there. Especially in the last couple of years, hackers are exploiting more flaws that vendors have yet to release a patch for. But it wasn’t until 2021 that zero-day hacks peaked, according to Google, with the number of attacks more than doubled from the year before.

Early in 2022, Google published its 2021 review of Project Zero, revealing a record amount of zero-day exploits exhibited by some of the world’s largest technology companies. “2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014,” Google Project Zero’s security researcher Maddie Stone said in the blog post.

Basically the number of zero-trust hacks detected last year is also more than double the previous maximum of 28 detected in 2015. What’s worse is that there were only 25 detected in 2020. Google also emphasized that the record 58 zero-day exploits that were publicly detailed aren’t necessarily an indication of “increased usage of zero-day exploits.” 

On the contrary, the company ascribes it to the increased detection and disclosure of these zero-days. “It’s highly likely that in 2021, there were other zero-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in the wild,” Stone said.

Until Google is confident that all vendors are transparently disclosing in the wild status, there’s a big question of how many in the wild zero-days are discovered, but not labeled publicly by vendors, Stone highlighted. Separately, seven Android zero-days were also identified — quite a big jump from the single exploit found in 2019. It was also incidentally the only other discovery by the Project Zero team pertaining to Google’s mobile operating system.

Zero-day hacks with Big Tech

Google also included WebKit in its findings — Apple’s web browser engine that powers Safari. Apparently, prior to 2021, Apple had only acknowledged one publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due to data shared by an external researcher. 

In stark contrast, there were seven zero-day detected last year alone. “This makes it hard for us to assess trends or changes since we don’t have historical samples to go off of. Instead, we’ll look at 2021’s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days,” Stone added.

Prior to this, the iPhone maker didn’t quite detail out 0-day exploits experience. However, “2021 was the first full year that Apple annotated their release notes with in the wild status of vulnerabilities.” To this end, five iOS zero-days were confirmed by Apple, while the first publicly discovered MacOS zero-day was uncovered as well.

Even for Microsoft’s Internet Explorer and its successor Edge which have had a pretty consistent number of 0-days each year, 2021 was unfortunately tied with its 2016 record for the most in-the-wild Internet Explorer 0-days Google has ever tracked. This despite Internet Explorer’s shrinking market share of web browser users continuing to decrease.

Overall, Google reckons “until the day that attackers decide to happily share all their exploits with us, we can’t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we’re very likely missing,” Stone said.

While there has been progress on detection and disclosure, Google reckons that progress has demonstrated just how much work there still is to do. Among the concrete steps that Google recommends the tech and security industries can take is to create even more forward momentum, including establishing an industry standard for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited.