Of the 58 zero-day exploits in popular software that Google’s Project Zero tracked in 2021, only two were particularly novel, while the rest relied on the same techniques over and again.
That’s both good and bad news for the software industry.
2021 was a record year in terms of the number of zero-day flaws in software like Chrome, Windows, Safari, Android, iOS, Firefox, Office and Exchange that Google Project Zero (GPZ) tracked as being exploited in the wild before a vendor patch was available.
At 58, that was more than double the annual rate of discovery and detection of zero-day exploits in the wild since GPZ started tracking zero days in mid-2014.
Google security researchers have previously pointed out the problems with deriving trends from data about zero days in the wild. For example, just because a bug wasn’t spotted, that doesn’t mean it wasn’t being used. Google has argued that detection is getting better. But there was also a major gap in information: there were only five samples of the exploits used against each of the 58 vulnerabilities.
While zero days that are discovered in the wild are a “failure”