In the lead up to the busiest online shopping season of the year, Google released the latest emergency patch—the eighth this year—for a Google Chrome zero day vulnerability being exploited in the wild. Because web browsers are such an essential element of our work and personal lives, it’s natural that zero days affecting browsers draw a lot of attention and browser security is a hot topic.
More is not merrier
Indeed, Chrome isn’t the only victim: about one third of the zero days that Google Project Zero has identified in the wild this year target web browsers. Even though Chrome is grabbing many of the vulnerability and exploit headlines, it’s important to remember that Chrome (or—more correctly—the Chromium Project) is the “parent” of other popular browsers (including Microsoft Edge and many commercial enterprise browser products) meaning that Google Chrome vulnerabilities are “inherited” by other browsers and the exploits also affect them.
0-day Exploits – Troubling timing trends
It’s not just that there seem to be more 0-days, it’s also that they’re being developed faster. A 2017 study by the RAND Corporation found that the median time to develop a functional zero day exploit was 22 days; as of 2022 a new 0-day exploit is discovered in the wild about every 17 days, while it takes software vendors an average of 15 days to patch the underlying vulnerability. Unfortunately for derivative browsers, there’s more to the patch gap than meets the eye: once a patch is created for the upstream project (i.e., Chromium), it must still be merged with the codebases of downstream projects and then go through individual vendors’ entire release pipelines (e.g., code review, automated build, QA, deployment to download servers, etc.). This can result in substantial delays between the time the vulnerability is discovered and the time the patch is available. Organizations must also conduct their own testing and rollouts, further increasing the amount of time before the patch is installed. Worse still, patching may not be sufficient. In findings presented at the FIRST Conference in June 2022, Google Project Zero researcher Maddie Stone’s root cause analysis of zero day vulnerabilities revealed that fully 50% of the 0-day exploits found in 2022 targeted variants of previously patched vulnerabilities.
0-day Vulnerabilities – Everything we know might not amount to much
Perhaps most alarming of all is that—even with all the available information on 0-days—just how widespread they are remains unclear. In the study above the RAND Corporation found that, for a given stockpile of zero days, only a little over 5% had been separately discovered after a period of 12 months; after 14 years, more than half remained undiscovered. Separately, the Google Project Zero team is circumspect about the actual rate of detection of zero days in the wild and cautions against “draw[ing] overarching conclusions… based on a limited data set”. Such unknown parameters can make it difficult to plan and implement adequate defenses.
Are we “borrowing trouble”?
Enterprise Browser Security
Taking the scary and not-so-scary together, a practical defense necessarily involves a solution that can provide protection against exploits whether they are zero days or unpatched zero days, as well as more conventional (and common) types of browser- and web-based attacks.