A torrent of newly discovered software vulnerabilities over the past few months has some within the cybersecurity research community calling this the “hot zero-day summer.”
During the recent months of June and July, zero-day vulnerabilities were reported in products made by some of the biggest names in software, such as Apple’s iOS and macOS operating systems, Google’s Chrome browser and Microsoft Windows, among others, raising concerns about what these and future security flaws could mean for an increasingly-connected world.
Cybersecurity experts and professionals who spoke with SC Media offered a myriad of possible reasons for this apparent spike, ranging from recent technological developments that have made it easier to find new flaws, to the spread of bug bounty programs throughout many industries and sectors that provide direct financial incentives for security researchers.
A deeper analysis suggests it has been unseasonably warm all year, so to speak, with many (but not all) sources finding that the number of zero-day vulnerabilities reported this year has been up significantly compared to past years.
Jared Semrau, a senior manager at Mandiant for vulnerability and exploitation, suggested a review of the true threat landscape over the past year will reveal that this is simply part of a longer trend.
"While some are playfully referring to this as a zero-day summer, the volume itself hasn’t been that unusual and has remained steadily high throughout the year,” Samrau told SC Media. “In fact, June was a quieter month in terms of disclosures, but instead had a high number of highly visibility incidents, which has resulted in more people noticing than usual.”
Bad news or a good omen for security?
Zero-day vulnerabilities are unaddressed software bugs that risk being exploited until a patch is made available and applied – developers have had “zero days” to prepare countermeasures, so identifying them is of interest to anyone keen on maintaining or breaking a particular product.
While not every vulnerability that becomes public is weaponized, the latest data also shows an uptick in the number of zero-day bugs observed being exploited in the wild.
An online tally maintained by the Zero-Day.cz tracking project has logged a total of 53 zero-day vulnerabilities that have been exploited in the wild through the first seven months of 2023, compared to 52 in all of 2022.
Google’s Project Zero, on its part, has monitored 30 zero-day exploits and counting this year as of July 31, 2023, up from 23 it detected during the same span last year: a roughly 25% increase.
Meanwhile, Trend Micro’s Zero Day Initiative, or ZDI, the self-described "world’s largest vendor-agnostic bug bounty program," told SC Media that its researchers have reported 44 zero-day vulnerabilities this year as of July 31, slightly below pace of the 99 disclosed during all of 2022.
“The number of disclosed vulnerabilities has been steadily increasing over the years, and there is good evidence to suggest that one of the main reasons behind this is that we are getting better at discovering vulnerabilities,” said Octavian Suciu, a postdoctoral researcher in the Maryland Cybersecurity Center at the University of Maryland Institute for Advanced Computer Studies (UMIACS) and the co-author of several academic studies on vulnerability detection.
Speaking to SC Media, George Jones, chief information security officer for breach prevention specialists at Critical Start, similarly attributed the increase to improvements in detection and analysis tools and methodologies, as well as other factors, including economic and geopolitical drivers and heightened awareness among bug hunters.
However, Jones and others agree that the swelling of zero-day discoveries this is likely tied at a fundamental level to the ever-growing connectivity and complexity of increasingly ubiquitous software code used in business and society today.
“Organizational attack surfaces are increasing due to an expanded use of software and technology, providing more opportunities for zero-day vulnerabilities,” Jones told SC Media.
Even looking over the past five years, apps and systems are now far more complex than before. The resulting impacts stem from a “simple equation,” Teresa Rothaar, a governance, risk and compliance analyst at Keeper Security. told SC Media.
“More apps and systems coupled with ever-increasing complexity creates more vulnerabilities.”
A Cambrian explosion of code
As software continues to eat the world, it’s bringing gobs of vulnerable code along with it. Yet while industry and the federal government have stood up a number of initiatives to find and patch previously undiscovered bugs in commercial and open source software, the level of funding and resources dedicated to these projects is often only enough to scratch at the surface of the problem.
Many of the known vulnerabilities recently observed being exploited in the wild are still caused by “common underlying issues,” Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, told SC Media, such as the use of memory unsafe programming languages or a failure to mitigate common attack vectors like SQL injection, for example.
Despite the deluge of newly discovered flaws, a cursory search of marketplace data suggests bug-bounty companies are still offering as much now for exploits as they were before.
Zerodium, an exploit acquisition firm that caters to government clients, is currently offering virtually the same awards for vulnerabilities as it was in 2020, according to its publicly available bounty sheet. As was the case then, the company says it will pay up to $2.5 million for an Android operating system zero-day, up to $2 million for an Apple iOS zero-day and up to $1.5 million for zero-days affecting the WhatsApp and iMessage communication platforms.
Meanwhile secure development at many enterprises continues to take a backseat to other business priorities when it comes to building and shipping software.
“There is still a need for secure coding practice to become ‘the way’ rather than something that happens late in the process, if it happens at all,” said Mike Parkin, a senior technical engineer at Vulcan Cyber.
Due to their sophistication, successful zero-day attacks are often attributed to state actors and organized cybercrime gangs with the resources to spend on researching and deploying them.
Years into developing defenses against less-sophisticated attacks, at least some industry professional surmise the spike in reported zero-day exploits could be an unintended consequence of improved cybersecurity measures making other methods less likely to succeed.
"Intrinsically, bug bounties significantly lean towards zero-day research, primarily due to an underlying competition to uncover vulnerabilities in attack surfaces that are typically already covered by penetration testing or internal testing teams, prior to introducing a crowd of testers,” said Michael Skelton, vice president of security operations and researcher success for Bugcrowd, a leading vulnerability disclosure company. “This spans out further into swift reversal of disclosures into large-scale operable exploits,” he told SC Media.
As hot zero-day summer nears hot zero-day autumn, some experts say the growing number of disclosures is doing a service for the cybersecurity industry by spurring stakeholders to patch up bugs that risk otherwise going undetected – and exploited – until spotted.
"As the research community and product vendors further improve in finding and disclosing vulnerabilities, we expect the number of [known exploitable vulnerabilities] to continue to increase, noting that this visibility enables mitigation before intrusions occurs,” said CISA’s Goldstein.
“Given that known zero days tend to increase remediation urgency, it is likely that these reports have a net positive effect on the community response to these vulnerabilities,” said UMIAC’s Suciu.