0-days Are Both Scarier and Less Scary Than You Probably Think
In the lead up to the busiest online shopping season of the year, Google released the latest emergency patch—the eighth this year—for a Chrome 0-day exploit in the wild. Because web browsers are such an essential element of our work and personal lives, it’s natural that 0-days affecting browsers draw a lot of attention and browser security is a hot topic.
More is not merrier
Indeed, Chrome isn’t the only victim: fully one third of the 0-days that Google Project Zero has identified in the wild this year target web browsers. Even though Chrome is grabbing many of the vulnerability and exploit headlines, it’s important to remember that Chrome (or—more correctly—the Chromium Project) is the “parent” of other popular browsers (including Microsoft Edge and many commercial enterprise browser products) meaning that vulnerabilities and exploits affecting Chrome are “inherited” by other browsers.
Troubling timing trends
It’s not just that there seem to be more 0-days, it’s also that they’re being developed faster. A 2017 study by the RAND Corporation found that the median time to develop a functional 0-day exploit was 22 days; as of 2022 a new 0-day exploit is discovered in the wild about every 17 days, while it takes software vendors an average of 15 days to issue a patch for the underlying vulnerability. Unfortunately for derivative browsers, there’s more to the patch gap than meets the eye: once a patch is created for the upstream project (i.e., Chromium), it must still be merged with the codebases of downstream projects and then go through individual vendors’ entire release pipelines (e.g., code review, automated build, QA, deployment to download servers, etc.). This can result in substantial delays between the time the vulnerability is discovered and the time the patch is available. Organizations must also conduct their own testing and rollouts, further increasing the amount of time before the patch is installed. Worse still, patching may not be sufficient. In findings presented at the FIRST Conference in June 2022, Google Project Zero researcher Maddie Stone’s root cause analysis of 0-day vulnerabilities revealed that fully 50% of the 0-day exploits found in 2022 targeted variants of previously patched vulnerabilities.
Recommended by LinkedIn
Everything we know might not amount to much
Perhaps most alarming of all is that—even with all the available information on 0-days—just how widespread they are remains unclear. In the study above the RAND Corporation found that, for a given stockpile of 0-days, only a little over 5% had been separately discovered after a period of 12 months; after 14 years, more than half remained undiscovered. Separately, the Google Project Zero team is circumspect about the actual rate of detection of 0-days in the wild and cautions against “draw[ing] overarching conclusions… based on a limited data set”. Such unknown parameters can make it difficult to plan and implement adequate defenses.
Are we “borrowing trouble”?
There is a bit of good news, however. First, for an attacker to successfully compromise a target, an exploit chain (i.e., more than one exploit) is often required. For browsers, this typically involves some sort of exploitation of the Document Object Model (DOM) renderer or the JavaScript Engine (JSE), coupled with a sandbox escape, and privilege escalation. Second, 0-days represent a relatively small percentage of vulnerabilities overall. There is a far greater risk from unpatched N-day vulnerabilities because their technical details are well-known, and Proof-of-Concept (POC) exploit code may be publicly available. Third, 0-day exploits remain “precious”: they can be costly to develop or obtain, and—in order to prevent accidental discovery—they are usually not deployed casually or widely (initially, at least). But while browsers themselves may not be attacked directly, they can still be involved in attacks like phishing campaigns, clickjacking, cross-site scripting (XSS), HTML smuggling, and more.
Conclusion
Taking the scary and not-so-scary together, a practical defense necessarily involves a solution that can provide protection against exploits whether they are 0-days or unpatched N-days, as well as more conventional (and common) types of browser- and web-based attacks.
Schedule a demo to see how Seraphic Security can help you add enterprise browser security for any user on any device running any browser, anywhere.