Fifty percent of 18 exploited zero-day security flaws so far this year were discovered by Google Project Zero researchers to be variants of improperly remediated older vulnerabilities, reports SecurityWeek.
"On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug," said Google Project Zero researcher Maddie Stone.
Among such bugs is the Follina flaw, tracked as CVE-2022-30190, which is based on the MSHTML zero-day, tracked as CVE-2021-40444. The report also showed that the Windows win32k flaw, tracked as CVE-2022-21882, was a variant of CVE-2021-1732, while a Chrome V8 engine type confusion vulnerability, tracked as CVE-2022-1096, originated from CVE-2021-30551. Both the Windows win32k and Chrome vulnerabilities were a result of patched proof-of-concept exploits but unaddressed root causes, according to Stone.
"When 0-day exploits are detected in-the-wild, its the failure case for an attacker. It's a gift for us security defenders to learn as much as we can and take actions to ensure that that vector cant be used again," said Stone.