The volume of zero-day vulnerabilities detected by Google increased by over 50% from 2022 to 2023, with bugs in third-party components on the rise, the tech giant said.
Google revealed the findings in its 2023 year in review, We’re All in this Together, which combined the findings of its Threat Analysis Group (TAG) and Mandiant research teams.
They discovered a total of 97 zero days in 2023, just shy of the record 106 detected in 2021.
The report claimed end-user platform vendors like Apple, Google and Microsoft have made “notable investments” to reduce the number of exploitable zero days threat actors can find, making certain types “virtually non-existent” today.
Read more on zero-days: Google Fixes Sixth Chrome Zero-Day Bug of the Year.
However, the same is not true of enterprise-focused technologies – where Google observed a 64% year-on-year increase in zero days and a general rise in the number of vendors targeted since at least 2019. It claimed to have spotted a particular focus on security software and appliances over the past year.
“On the enterprise side, we see a wider variety of vendors and products targeted, and an increase in enterprise-specific technologies being exploited,” the report noted.
“Over the years we’ve learned that the quicker we discover and patch attackers’ bugs, the shorter the lifespan of the exploit, and the more it costs attackers to maintain their capabilities. We as an industry must now learn how to take those lessons learned and apply them to the wider ecosystem of vendors that are now finding themselves under attack.”
Google's Key Takeaways
Other notable trends in the report include:
- Attackers are shifting their focus to third-party components and libraries as “exploitation of this type of vulnerability can scale to affect more than one product”
- Commercial spyware companies were responsible for 75% of zero days targeting Google products and Android ecosystem devices in 2023, and 60% of zero days in browsers and mobile devices overall
- China was responsible for more government-driven zero days than any other state in 2023: 12
- Financially motivated actors accounted for just 10 zero-days, fewer than the number observed in 2022
Read more: A Guide to Zero-Day Vulnerabilities and Exploits for the Uninitiated