Vendors should fix the root cause of a vulnerability, rather than block just one path to triggering it, says Google

Google’s Project Zero team revealed that a quarter of zero-day exploits detected in 2020 could have been prevented had the vendors issued proper patches for the underlying security flaws. In its Year in Review bloggpost, the team said that of the 24 zero-days that were detected in the wild, six were related to previously disclosed vulnerabilities.

“Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit,” said Maddie Stone, a Project Zero security researcher.

The list includes CVE-2020-0674, a zero-day that affected Internet Explorer and is a variant of CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429, all three of which had previously been exploited in the wild.

Among the other zero-days singled out is CVE-2020-27930 which was one of the three zero-day bugs quashed by Apple in November 2020 and was also related to an earlier security loophole – CVE-2015-0093. A vulnerability in the FreeType library, which is indexed as CVE-2020-15999 and was found to affect Google’s Chrome web browser last October, also made the list.

Source: Google Project Zero

“1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored,” said Stone.

Correct and comprehensive

Patches are often incomplete in the sense that they “don’t correctly and comprehensively fix the root cause of a vulnerability”, said the Project Zero team, which maintains this “In the Wild” spreadsheet that lists all actively exploited zero-day exploits going as far back as 2014.

They observed that instead of addressing the vulnerability as a whole, vendors often shut down “only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths.” This, in turn, allows threat actors to target users with zero-day attacks with less effort.

RELATED READING: Rough patch, or how to shut the window of (unpatched) opportunity

“A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants. We consider a patch to be complete only when it is both correct and comprehensive,” Stone said.

As Stone puts it, the overarching aim should be to make the job of cybercriminals as hard as possible: “The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that, we need correct and comprehensive fixes.”

While achieving that goal may not be an easy task, the path that organizations need to take seems to be clear – they need to invest, prioritize and plan.