In the lead up to the busiest online shopping season of the year, Google released the latest emergency patch—the eighth this year—for a Chrome 0-day exploit in the wild. Because web browsers are such an essential element of our work and personal lives, it’s natural that 0-days affecting browsers draw a lot of attention and browser security is a hot topic.
More is not merrier
Indeed, Chrome isn’t the only victim: fully one third of the 0-days that Google Project Zero has identified in the wild this year target web browsers. Even though Chrome is grabbing many of the vulnerability and exploit headlines, it’s important to remember that Chrome (or—more correctly—the Chromium Project) is the “parent” of other popular browsers (including Microsoft Edge and many commercial enterprise browser products) meaning that vulnerabilities and exploits affecting Chrome are “inherited” by other browsers.
Troubling timing trends
It’s not just that there seem to be more 0-days, it’s also that they’re being developed faster. A 2017 study by the RAND Corporation found that the median time to develop a functional 0-day exploit was 22 days; as of 2022 a new 0-day exploit is discovered in the wild about every 17 days, while it takes software vendors an average of 15 days to issue a patch for the underlying vulnerability. Unfortunately for derivative browsers, there’s more to the patch gap than meets the eye: once a patch is created for the upstream project (i.e., Chromium), it must still be merged with the codebases of downstream projects and then go through individual vendors’ entire release pipelines (e.g., code review, automated build, QA, deployment to download servers, etc.). This can result in substantial delays between the time the vulnerability is discovered and the time the patch is available. Organizations must also conduct their own testing and rollouts, further increasing the amount of time before the patch is installed. Worse still, patching may not be sufficient. In findings presented at the FIRST Conference in June 2022, Google Project Zero researcher Maddie Stone’s root cause analysis of 0-day vulnerabilities revealed that fully 50% of the 0-day exploits found in 2022 targeted variants of previously patched vulnerabilities.
Everything we know might not amount to much
Perhaps most alarming of all is that—even with all the available information on 0-days—just how widespread they are remains unclear. In the study above the RAND Corporation found that, for a given stockpile of 0-days, only a little over 5% had been separately discovered after a period of 12 months; after 14 years, more than half remained undiscovered. Separately, the Google Project Zero team is circumspect about the actual rate of detection of 0-days in the wild and cautions against “draw[ing] overarching conclusions… based on a limited data set”. Such unknown parameters can make it difficult to plan and implement adequate defenses.
Are we “borrowing trouble”?
Taking the scary and not-so-scary together, a practical defense necessarily involves a solution that can provide protection against exploits whether they are 0-days or unpatched N-days, as well as more conventional (and common) types of browser- and web-based attacks.
Schedule a demo to see how Seraphic Security can help you add enterprise browser security for any user on any device running any browser, anywhere.