You know you’ve made it as a software company when an independent researcher tells you that your software is being exploited by hackers.
Except it turns out that even this ribbon of distinction is becoming all-too common. Even Apple has joined the club. In 2022, Apple has disclosed just as many 0-day vulnerabilities as Microsoft and Google.
This marks a significant departure from the historical trend. Security has been one of the primary reasons for buying iOS products. In the 2000s and 2010s, Windows users needed to worry about viruses and malware, not Apple owners. Viruses just didn’t happen.
Counting the 0-Days in 2022
That story is now trending in the opposite direction. Last year, Apple was forced to announce 12 0-day vulnerabilities. That is a significant rate for any company, considering that this year a total of 17 0-days have been tracked, and 4 of those were Apple’s. iOS and macOS were the most common victims each with 1.5 zero-days, but WebKit was also.
Microsoft tends to announce more 0-days than Apple, but the juggernauts are tied as of June 16, 2022. Late in May, Microsoft’s contribution was a particularly nefarious remote-code execution vulnerability (CVE-2022-30190P).
Remote code execution is one of the worst type of exploits because it essentially gives an attacker the ability to run any script they want to run, on your machine.
Follina was more popularly known because, although the actual vulnerability occurred in its Support Diagnostic Tool, the exploit, as found “in the wild” used malicious Word documents to transport and execute the vulnerability. Just the idea that a word document could essentially give a hacker carte blanche on your entire machine is frightening.
Google Android and Chrome have both tallied two vulnerabilities in 2022 already. Chrome is used by 77% of desktops worldwide (Kinsta), and Android is used by roughly 46% of mobile devices (Statista). That leads to an incredible number of vulnerable online activities, leading to an increase in botnets, malware, and compromised machines worldwide.
Admittedly, counting Mozilla in this list is somewhat unfair. Its 0-days were exploited in the Pwn2Own Vancouver 2022 hacking contest in May — NOT discovered out in the wild as the Tactics, Techniques and Procedures (TTP) of an emerging threat. Technically speaking, they are 0-day exploits because they were discovered “publicly” before Mozilla knew about them. But Mozilla is still the smallest problem on this list for that reason.
Miscellaneous: Tally One Each for Trend Micro and Atlassian
Are they handing out awards to just anyone these days? Atlassian is not a consumer software company, but they help drive a significant amount of code development for organizations worldwide. To give an idea, 83% of Fortune 500 companies use Atlassian products. And if your business develops its own custom code, then you probably do too.
Trend Micro is a cybersecurity provider for business, delivering security products to over half a million businesses and more than a quarter billion individual employees worldwide.
What Does this Mean for Small and Mid-Sized Businesses?
It is not all bad, but it is not all good either.
Each of these marks is given for 0-day vulnerabilities, which were observed “in use” before they were patched, giving malicious actors the authority to execute whatever scripts they wanted on other machines and workstations — not just a handful but millions, tens of millions, even hundreds of millions of machines.
For the hackers and hacker organizations who discovered these backdoors before anyone else, it was like winning the lottery. How much sensitive information were they able to pull out before the flaw was patched? And how many machines continue to use old versions of the software that now provides easy access and control?
The number and severity of these 0-days should be a cautionary tale for every business. At any given moment, it is likely that millions of computers are susceptible to exploits. That is why we need to monitor network traffic, not only across the firewall but as part of a Zero Trust policy, inside the business network. We need to have tools that help IT professionals decipher when an attack is occurring, so that it can be quarantined and controlled as soon as possible.
To presume that we are unassailable just does not make sense when you look at these facts.
As a bright spot, we have seen software companies as a whole take a larger interest in monitoring for emerging threats. This means that we are as a community able to respond to threats sooner, before they can take the entire user base unaware with devastating impact.
It will be critical for cybersecurity professionals to continue to embrace an agile, responsive framework moving forward, so that we can limit the real damages that hacker organizations can do before we shut the door.