2021 was a record year for the number of zero-day vulnerabilities in Chrome that attackers exploited before Google knew about them. Is Google losing the race against attackers?

According to Google’s Project Zero zero-day tracker, there were 25 browser zero-day patches last year, including 14 for Chrome, six for Safari’s WebKit engine and four for Internet Explorer. In 2020, there were only 14 zero-day flaws in browsers, more than half of which were in Chrome. But between 2015 and 2018, there were no zero-day Chrome exploits in the wild, according to tracker data.

Adrian Taylor, technical program manager on Chrome’s security team, says in a blog post that the rise in browser zero days “may initially seem concerning” and “could indicate a worrying trend.” But he argues that could be a good thing because it means more zero days are detected and fixed.

TO SEE: Cybersecurity: let’s get tactical (ZDNet special report)

In other words, interpreting trends in zero-day data – such as the suggestion that there were no zero-days between 2015 and 2018 – is difficult because it only includes those that are now. known and hopefully corrected. There are probably other undiscovered ones that are used there.

“We don’t believe there was no operating Chromium-based browsers between 2015 and 2018,” Taylor notes.

“We recognize that we do not have a full view of active exploitation, and just because we have not detected zero days in these years does not mean that exploitation has not taken place. The available operational data suffers from sampling bias.”

This is similar to a conclusion on zero-days that Google’s Threat Analysis Group (TAG) made last year: “There is no one-to-one relationship between the number of 0-days used in the wild and the number of 0-days being detected and disclosed as being in the wild.”

Still, many zero-day exploits have been discovered in 2021. Taylor offers four reasons for this. First, browser makers today are more transparent about exploited bugs in the wild than in the past. Google Project Zero — which gives vendors 90 days to fix a bug before disclosing it publicly — has helped normalize this behavior from major software vendors.

Another factor is the demise of the Adobe Flash Player desktop browser plugin, which was a primary target for attackers in 2015 and 2016, but browser makers and Adobe dropped support for it on December 31, 2020.

“As Flash is no longer available, attackers have had to turn to a more difficult target: the browser itself,” Taylor writes.

On top of that is the popularity of open source Chromium used by Brave, Opera, Vivaldi, etc. Although Edge is not as popular as Chrome, it comes with Windows 10 and Windows 11.

“Attackers are targeting the most popular target. In early 2020, Edge switched to using the Chromium rendering engine. If attackers can find a bug in Chromium, they can now attack a larger percentage of users,” explains Taylor.

Another cause for the apparent increase in browser zero days is that due to efforts to harden the browser, such as isolating Chrome’s site, attackers must string together multiple bugs to actually exploit a browser. Thus, attackers need more ammo for the same effect.

“For the exact same level of attacker success, we would see more bugs in the wild reported over time as we add more layers of defense that the attacker has to work around,” he notes.

TO SEE: How Russia’s Invasion of Ukraine Threatens the IT Industry

Finally, the navigation software is vast and now almost as complex as an operating system.

“More complexity means more bugs,” Taylor comments.

It also highlights recently published research from Project Zero on how quickly software vendors fix defects. Chrome patched and released faster than WebKit and Firefox.

Google is urging all vendors to implement a more frequent patch cadence for security issues. Chrome, for example, cut its stable release cycle from six weeks to four weeks. Microsoft implemented the same cycle for Edge starting with the release of version 94 in September.