Google's elite Project Zero security researchers are again warning that insufficient patching of vulnerabilities means threat actors can vary their methodologies, and reuse software bugs.
Project Zero's Maddie Stone posted a half year report on the zero-day vulnerabilities that are being exploited with no patches available for 2022.
The organisation found that in many cases, fixes simply break a proof of concept, without addressing the root cause of the flaw.
Of the 18 zero-days detected and disclosed so far this year, nine could have been prevented with more comprehensive patching and regression tests, Stone said.
Four of the zero-days found in 2022 are simply variants of bugs discovered in 2021, with attackers being able to take different paths and come back to exploit them just 12 months after patching.
The zero-days Project Zero saw exploited in the wild affected Microsoft Windows, Apple iOS, the Chromium open-source web browser that's the foundation for Chrome, the WebKit web content rendering engine, Atlassian's Confluence and Google's Pixel smartphone.
In the case of WebKit (part of Apple's Safari browser), the exploited bug was first fixed in 2013, but the patch was regressed in 2016.
The "Zombie" use-after-free memory corruption vulnerability that could be triggered through maliciously coded web content was patched again by Apple in February this year.
In some cases, the vulnerabilities were used by repressive regimes targeting dissidents, journalists and human rights activists, and nation-state threat actors from North Korea exploiting hundreds of victims in the United States.
Stone said the patch regression is not new, and that Project Zero found the same pattern in 2020.
She suggested security teams and researchers perform root cause analysis to understand how vulnerabilities might have been introduced into code, and to investigate flaws similar to reported bugs.
