2021 was a record year for the number of zero-day flaws in Chrome that attackers were exploiting before Google knew about them. Is Google losing the race against attackers?
According to Google Project Zero’s zero-day tracker, there were 25 browser zero-days patched last year, of which 14 were for Chrome, six were for Safari’s WebKit engine, and four were for Internet Explorer. In 2020, there were just 14 browser zero-day flaws, of which more than half were in Chrome. But between 2015 and 2018 there were no Chrome zero-day exploits in the wild, according to the tracker data.
Adrian Taylor, a technical program manager on the Chrome Security Team, says in a blogpost that the increase in browser zero-days “may initially seem concerning” and “could point to a worrying trend”. But he argues it could be a good thing because it means more zero-days are being caught and fixed.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
In other words, interpreting trends in zero-day data – such as the suggestion there was no zero-days between 2015 and 2018 – is difficult because it only includes ones that are now known about and hopefully fixed. There