According to data collected by Google’s Project Zero security team, there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year.
The current number puts 2020 on track to have just as many zero-days as 2019 when Google security researchers said they tracked 20 zero-days all of last year.
Details about these zero-days have been obtained from a spreadsheet managed by Google security researchers, which the company made public available earlier this year. The spreadsheet contains Google’s internal statistics about in-the-wild zero-day usage going as far back as 2014, when the company began tracking said stats.
Below we will list this year’s current zero-day vulnerabilities.
Below that, we will also summarize the most important conclusions of the Google’s first Zero-Day Year in Review report, which the company published last week, detailing 2019 zero-days and their causes.
1. Firefox (CVE-2019-17026)
This zero-day was used as part of a combo with another zero-day. See below.
Patched here, in Firefox 72.0.1.
2. Internet Explorer (CVE-2020-0674)
Both of Firefox zero-day listed above and this one have been used by a nation-state hacking group known as DarkHotel, believed to be operating out of the Korean peninsula (unclear if from North Korea or South Korea). Both zero-days have been used to spy on targets located in China and Japan, hence why they were both discovered by Qihoo 360 (Chinese antivirus maker) and JPCERT (Japan’s Computer Emergency Response Team).
Victims of this campaign were redirected to a website where they’d be served either the Firefox or IE zero-day, and then they were infected with the Gh0st remote access trojan.
Patched here, in the Microsoft February 2020 Patch Tuesday.
3. Chrome (CVE-2020-6418)
This zero-day was detected exploited in the wild by Google’s Threat Analysis Group, and details about the attacks where it was used were never released.
Patched here, in Chrome version 80.0.3987.122.
4. & 5. Trend Micro OfficeScan (CVE-2020-8467 and CVE-2020-8468)
Both zero-days were discovered internally by Trend Micro staff. It is believed the zero-days were discovered while Trend Micro investigated a 2019 zero-day in the same product that was used to hack Mitsubishi Electric.
6. & 7. Firefox (CVE-2020-6819 and CVE-2020-6820)
Details about the attacks where these two Firefox zero-days have been used have not yet been released, although, security researchers suggested these might be part of a larger exploit chain.
Patched here, in Firefox 74.0.1.
8. & 9. & 10. (CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027)
All three bugs have been discovered and reported to Microsoft by Google TAG, and just like most Google TAG discoveries, no details about the attacks have been released — yet.
Patched here, here, and here, in the Microsoft April 2020 Patch Tuesday.
11. Sophos XG Firewall (CVE 2020-12271)
A group of hackers discovered earlier this year a zero-day in XG, a top-shelf firewall product developed by UK security firm Sophos. The zero-day, an SQL injection in the firewall’s management panel, allowed hackers to plant the Asnarok backdoor on infected systems. In an investigation, Sophos said hackers tried to deploy the Ragnarok ransomware on infected hosts once its zero-day made the news, but the company says it blocked most attempts.
Putting aside this year’s zero-days, let’s take a look over Google’s analysis of last year’s zero-days.
The bullet list below contains Google’s primary conclusions from its 2019 Zero-Day Year in Review report, which took a thorough look at how security firms are discovering zero-days, which software products are impacted the most, why, and what are the primary causes for most zero-days.
Google said that it plans to publish an annual Zero-Day Year in Review report each year, going forward.