Google recorded the most zero-day exploits ever in 2021

Last year had more than double the published vulnerabilities of 2020

Online security and user experience go hand-in-hand — no one's going to want to use even the fanciest phone in the world if it leaves you wide open to hackers. That’s why developers are constantly working behind the scenes to keep users secure, but inevitably, some security flaws go through unnoticed. Maybe the scariest class is zero-day exploits, for which no patch to fix these holes exist when attacks first land. This week Google's looking back over efforts to discover these vulnerabilities, and with 58 of them were detected and disclosed in 2021, 0-days had their single busiest year yet.

Those 58 zero-days found across 2021 represent more than double the 25 exploits detected in 2020. Does this mean that software is becoming more insecure or that hackers have doubled down their efforts? Instead, Google suggests that the trend is more likely the result of improved detection of zero-day issues by the likes of Microsoft, Apple, and Google itself.

The post breaks down the 2021 zero-day exploits in great detail, but what stands out most is just how far behind many vendors are in taking steps to do something about known vulnerabilities. Google’s Project Zero (a team of elite bug hunters) aims to make it more costly, resource-intensive, and overall more difficult for attackers to use zero-days, but that's very much a work in progress. Of the detected zero-days, only two (targeting iOS and Mac devices) were really new-new. The rest were variations of well-known bugs, with most (67%) being some variation of memory-corruption vulnerabilities. The implication is that hackers don't have to try nearly as hard as we'd hope they might to find new attacks.

Google does warn that its record of zero-day attacks is not as all-encompassing as it could be. For example, messaging platforms such as WhatsApp, Signal, and Telegram did not report any zero-day vulnerabilities in 2021, which is surprising considering that all three apps are major hacking targets. In fact, since Google started tracking in 2014, only two zero-days have been reported for messaging apps: WhatsApp in 2019 and iMessage in 2021. The company suspects that a lack of detection or disclosure may be the reason these numbers are so low — not that vulnerabilities don't necessarily exist.

Google hopes the tech industry will share more exploit samples with detailed technical descriptions when disclosing zero-day vulnerabilities. In addition, it’s imploring vendors to do more to render memory corruption bugs unexploitable. In the meantime, you can do your best to protect your devices against malware by ensuring your software is up to date.