Skip to main content

Experts found a record number of zero-day hacks in 2021

Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.

Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.

A digital depiction of a laptop being hacked by a hacker.
Digital Trends Graphic

The end-of-year report for 2021 confirmed that 58 zero-day exploits were discovered. That’s the highest amount detected since Project Zero’s inception — 2015 was the previous record holder with a total of 28 digital exploits.

Comparatively, at the height of the pandemic that saw hackers intensify their efforts in malicious cybercrime activity, Google’s security team disclosed 25 security flaws during 2020.

Google stressed that the record 58 zero-day exploits that were publicly detailed aren’t necessarily an indication of “increased usage of zero-day exploits.” On the contrary, the company ascribes it to the “increased detection and disclosure of these zero-days.”

“It’s highly likely that in 2021, there were other zero-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in the wild. Until we’re confident that all vendors are transparently disclosing in the wild status, there’s a big question of how many in the wild zero-days are discovered, but not labeled publicly by vendors.”

The report’s first zero-day exploit that was analyzed involved Google’s very own Chromium, which provides the open-source code for its Chrome browser.

Chromium saw a record high 14 zero-day bugs. Among the exploits were 10 remote code execution bugs, 2 sandbox escapes, and 1 infoleak. The final zero-day bug resulted in hackers attempting to open a webpage in Android-based apps instead of Chrome.

Elsewhere, seven Android zero-days were identified — quite a big jump from the single exploit found in 2019, which incidentally was the only other discovery by the Project Zero team pertaining to Google’s mobile operating system.

Apple, iOS, MacOS, and Windows

Google also mentioned WebKit, which is Apple’s web browser engine that powers Safari. According to Google, before 2021, Apple only revealed one public zero-day exploit that was designed to infiltrate WebKit/Safari. Even then, the disclosure materialized via a third-party researcher’s study.

However, in 2021, there were seven zero-days associated with Apple’s web browser, four of which were involved Safari’s Javascript Engine component.

Breaking away from the technology giant’s previously secretive nature when it came to detailing 0-day exploits, “2021 was the first full year that Apple annotated their release notes with in the wild status of vulnerabilities.”

To this end, five iOS zero-days were confirmed by Apple, while the first publicly discovered MacOS zero-day was uncovered as well.

Apple places huge importance on its security measures for iOS and Mac-based systems. After all, it gave a student $100,000 for hacking the latter.

As for Microsoft, Google detailed 10 Windows zero-days that targeted seven separate elements, including Enhanced crypto provider (no surprise there, of course), NTOS kernel, and Win32k.

“Windows is the platform where we’ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it’s still not especially novel,” Google said.

Windows 11 was also subjected to a zero-day hack after its launch. Microsoft, however, doesn’t pay as handsomely as Apple when it comes to bug discoveries in some cases: Payouts have apparently been reduced to $1,000 from $10,000.

Furthermore, during 2021, five zero-days connected to Microsoft Exchange Server were found. “This is the first time any Exchange Server in the wild zero-days have been detected and disclosed since we began tracking in the wild zero-days,” the report added.

Hackers stick to tried-and-tested methods

A pair of hands on a laptop keyboard with two displays.

Within the report’s New Year, Old Techniques section, Google emphasized that despite the record number of “data points” in 2021 “to understand how attackers are actually using zero-day exploits,” it was actually surprised that it recognized all that data — “there was nothing new.”

“Zero-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the zero-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research.

About 67% of the 58 zero-day exploits were memory corruption vulnerabilities. Google said this shouldn’t come as too much of a surprise when you consider the fact that this specific category is the go-to method for finding a way into software “for the last few decades,” and it’s largely the reason attackers continue to successfully gain access to its targets.

Google capped its report with a statement on the impact of zero-day exploits and the consequences of a successful attack.

“While the majority of people on the planet do not need to worry about their own personal risk of being targeted with zero-days, zero-day exploitation still affects us all. These zero-days tend to have an outsized impact on society, so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks. 2021 showed us we’re on the right track and making progress, but there’s plenty more to be done to make zero-day hard.”

With the world becoming more digital and technology-driven than ever before, cybercriminals are making billions of dollars by exploiting individuals.

With an increase in cyber crime across the board, nearly $7 billion was stolen from people last year, which is largely attributed to certain crime types such as personal data breach (clean up your passwords) and ransomware.

Editors' Recommendations

Windows 10 Home vs. Pro vs. S mode: What’s the difference?
dell xps 15 2 in 1 review version 1522861390 front display

Windows 10 still holds its own, despite Windows 11 being worth the upgrade. It has many of the same features as its younger sibling, and with some applications, it still performs better. But if you plan to install Windows 10 on a new computer, you'll need to pick from one of the many options of Windows 10 to install.

Should you install Windows 10 Home? Windows 10 Pro? What about S Mode? In this guide to Windows 10, we'll break down the most popular versions and why one or the other might be best for you.
Windows 10 Home vs. Pro vs. S mode features
It can be challenging to work through all the Windows 10 versions to decide which one is right for your needs. All three mainstream versions are on this list and should give you the best choices for general computing or school. 

Read more
4 Windows 11 accessibility features that make it easier for everyone to use
Person using Windows 11 laptop on their lap by the window.

Windows 11 feature some big updates for Microsoft's storied operating system visually, but it has made big strides in accessibility as well. Live Captions, updates to the Narrator, and even full voice access might make Windows 11 the most accessible OS Microsoft has ever released.

Regardless of it you need accessibility features to navigate Windows 11 or if you just want to make getting around a little easier, we tried out a slew of features to bring you our favorites. If you want to browse the full list, you can find it by opening the Settings app in Windows 11 and selecting the Accessibility tab.
Live captions

Read more
Microsoft Edge opens AI-upscaled video to AMD graphics cards
The Microsoft Edge browser is open on a Surface Book 2 in tablet mode.

Microsoft is rolling out a new super resolution for its Edge browser, but unlike Nvidia's recently announced RTX Video Super Resolution, Microsoft's take works with AMD graphics cards.

Edge is taking the same name. Video Super Resolution (VSR) leverages AI to upscale videos directly in your browser. Microsoft's announcement reads, "It accomplishes this by removing blocky compression artifacts and upscaling video resolution so you can enjoy crisp and clear videos on YouTube and other streaming platforms that play video content without sacrificing bandwidth."

Read more