Maddie Stone, the researcher from Google’s Project Zero team, published an overview of her talk, “ 0-day In-the-Wild Exploitation in 2022…so far”, that she gave at the FIRST cybersecurity conference last month. As the title suggests, the talk was about zero-day vulnerabilities that have been exploited by cybercriminals in the first half of this year.
According to Stone, from the beginning of 2022 till June, 15 the researchers have identified and disclosed eighteen 0-day vulnerabilities. It’s worth noting that at least nine of them are variants of previously fixed flaws.
“At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests,” said the researcher.
Furthermore, four 0-days of 2022 are variants of 2021 0-days. Just 12 months from the original flaw being patched, cybercriminals came back with a new version of it. For example, the infamous critical vulnerability in Microsoft Windows (CVE-2022-30190) known as ‘Follina’ is a variant of the last year’s remote code execution bug in Microsoft MSHTML (CVE-2021-40444).
Another Windows vulnerability – CVE-2022-21882 – is a new iteration of the privilege escalation bug in Microsoft Windows (CVE-2021-1732) that did get a patch, but this patch turned out to be insufficient. According to Stone, only “the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed”. Thus, hackers could exploit the original bug using a different method.
RCE-vulnerability in WebKit (CVE-2022-22620) known as ‘Zombie’ and spoofing attack flaw in Microsoft Windows LSA (CVE-2022-26925) known as ‘PetitPotam’ are the results of a regressed patching.
An iOS IOMobileFrameBuffer bug (CVE-2022-22587) is a variant of the last year’s CVE-2021-30983.
RCE-vulnerability in Google Chrome (CVE-2022-1096) is a resurrection of CVE-2021-30551.
Other 2022 zero-days that are variants of improperly addressed security flaws are CVE-2022-1364 in Chrome which is a new variant of CVE-2021-21195, and CVE-2022-26134 in Atlassian Confluence which is a new variant of CVE-2021-26084.