Google Project Zero has started tracking zero-day vulnerabilities exploited in attacks before the impacted vendor released patches.
The new project, named 0Day ‘In the Wild’, is basically a spreadsheet that Project Zero uses to track vulnerabilities exploited before they became known to the public or the vendor.
The spreadsheet currently lists over 100 vulnerabilities exploited in the wild since 2014. The table includes the flaw’s CVE identifier, impacted vendor, impacted product, the type of vulnerability, a brief description, the date of its discovery, the date when a patch was released, a link to the official advisory, a link to a resource analyzing the flaw, and information on attribution.
The list currently includes vulnerabilities affecting products from Facebook, Microsoft, Google, Apple, Adobe, Mozilla, Cisco, Oracle, IBM and Ghostscript. The zero-days are believed to have been exploited, among others, by APT3, FruityArmor, ScarCruft (APT37), BlackOasis, APT28 (Fancy Bear, Sofacy), Equation Group, AdGholas, APT31, Sandworm, Animal Farm, and the controversial spyware makers NSO Group and Hacking Team.
It’s worth noting that the project does not track every single zero-day exploited in the wild and instead focuses on software that is covered by Project Zero research. For instance, zero-days in the InPage word processor, which is mostly used by people who speak Urdu and Arabic, are not included.
It also doesn’t cover exploits for software that has reached end of life (EOL) by the time it’s discovered, such as the ExplodingCan exploit leaked by Shadow Brokers and patched in 2017, or flaws exploited between the time their details became public and the release of a patch, such as the Windows flaw disclosed in August 2018 by a frustrated researcher on Twitter.
“This data is collected from a range of public sources,” explained Project Zero’s Ben Hawkes. “We include relevant links to third-party analysis and attribution, but we do this only for your information; their inclusion does not mean we endorse or validate the content there. The data described in the spreadsheet is nothing new, but we think that collecting it together in one place is useful.”
The data collected so far shows that, on average, an in-the-wild exploit is identified every 17 days, that it takes vendors 15 days to patch an actively exploited flaw, that a detailed technical analysis is published for nearly 90 percent of zero-days, and memory corruption bugs are the root cause of roughly two-thirds of these vulnerabilities.