Skip to main content
  1. Home
  2. Computing
  3. News

Experts found a record number of zero-day hacks in 2021

Add as a preferred source on Google

Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.

Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.

A digital depiction of a laptop being hacked by a hacker.
Digital Trends

The end-of-year report for 2021 confirmed that 58 zero-day exploits were discovered. That’s the highest amount detected since Project Zero’s inception — 2015 was the previous record holder with a total of 28 digital exploits.

Recommended Videos

Comparatively, at the height of the pandemic that saw hackers intensify their efforts in malicious cybercrime activity, Google’s security team disclosed 25 security flaws during 2020.

Google stressed that the record 58 zero-day exploits that were publicly detailed aren’t necessarily an indication of “increased usage of zero-day exploits.” On the contrary, the company ascribes it to the “increased detection and disclosure of these zero-days.”

“It’s highly likely that in 2021, there were other zero-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in the wild. Until we’re confident that all vendors are transparently disclosing in the wild status, there’s a big question of how many in the wild zero-days are discovered, but not labeled publicly by vendors.”

The report’s first zero-day exploit that was analyzed involved Google’s very own Chromium, which provides the open-source code for its Chrome browser.

Chromium saw a record high 14 zero-day bugs. Among the exploits were 10 remote code execution bugs, 2 sandbox escapes, and 1 infoleak. The final zero-day bug resulted in hackers attempting to open a webpage in Android-based apps instead of Chrome.

Elsewhere, seven Android zero-days were identified — quite a big jump from the single exploit found in 2019, which incidentally was the only other discovery by the Project Zero team pertaining to Google’s mobile operating system.

Apple, iOS, MacOS, and Windows

Google also mentioned WebKit, which is Apple’s web browser engine that powers Safari. According to Google, before 2021, Apple only revealed one public zero-day exploit that was designed to infiltrate WebKit/Safari. Even then, the disclosure materialized via a third-party researcher’s study.

However, in 2021, there were seven zero-days associated with Apple’s web browser, four of which were involved Safari’s Javascript Engine component.

Breaking away from the technology giant’s previously secretive nature when it came to detailing 0-day exploits, “2021 was the first full year that Apple annotated their release notes with in the wild status of vulnerabilities.”

To this end, five iOS zero-days were confirmed by Apple, while the first publicly discovered MacOS zero-day was uncovered as well.

Apple places huge importance on its security measures for iOS and Mac-based systems. After all, it gave a student $100,000 for hacking the latter.

As for Microsoft, Google detailed 10 Windows zero-days that targeted seven separate elements, including Enhanced crypto provider (no surprise there, of course), NTOS kernel, and Win32k.

“Windows is the platform where we’ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it’s still not especially novel,” Google said.

Windows 11 was also subjected to a zero-day hack after its launch. Microsoft, however, doesn’t pay as handsomely as Apple when it comes to bug discoveries in some cases: Payouts have apparently been reduced to $1,000 from $10,000.

Furthermore, during 2021, five zero-days connected to Microsoft Exchange Server were found. “This is the first time any Exchange Server in the wild zero-days have been detected and disclosed since we began tracking in the wild zero-days,” the report added.

Hackers stick to tried-and-tested methods

A pair of hands on a laptop keyboard with two displays.
Image used with permission by copyright holder

Within the report’s New Year, Old Techniques section, Google emphasized that despite the record number of “data points” in 2021 “to understand how attackers are actually using zero-day exploits,” it was actually surprised that it recognized all that data — “there was nothing new.”

“Zero-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the zero-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research.

About 67% of the 58 zero-day exploits were memory corruption vulnerabilities. Google said this shouldn’t come as too much of a surprise when you consider the fact that this specific category is the go-to method for finding a way into software “for the last few decades,” and it’s largely the reason attackers continue to successfully gain access to its targets.

Google capped its report with a statement on the impact of zero-day exploits and the consequences of a successful attack.

“While the majority of people on the planet do not need to worry about their own personal risk of being targeted with zero-days, zero-day exploitation still affects us all. These zero-days tend to have an outsized impact on society, so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks. 2021 showed us we’re on the right track and making progress, but there’s plenty more to be done to make zero-day hard.”

With the world becoming more digital and technology-driven than ever before, cybercriminals are making billions of dollars by exploiting individuals.

With an increase in cyber crime across the board, nearly $7 billion was stolen from people last year, which is largely attributed to certain crime types such as personal data breach (clean up your passwords) and ransomware.

Zak Islam
Former Contributor
Zak covers the latest news in the technology world, particularly the computing field. A fan of anything pertaining to tech…
Apple’s M6 chip isn’t even here yet, but you’ll see M7 Macs early in 2027
Apple is reportedly already accelerating its next-generation silicon roadmap, even before the M6 has launched.
Apple MacBook

The M6 chip is still expected to debut later this year, but Apple may already be preparing for what comes next. According to Mark Gurman's latest report for Bloomberg, the company is aiming to introduce its first M7-powered devices as early as the first half of 2027, hinting at a much faster silicon refresh than many expected.

M7 could arrive alongside new Macs and iPads

Read more
The entry-level MacBook Pro could get a design refresh in 2027, and it’s about time
Five years on the same chassis, and now both tiers of the MacBook Pro are getting a new look at once.
MacBook Pro in space grey sitting on a desk.

Apple has a new MacBook Pro lined up for launch early next year, according to Bloomberg. The company will introduce a 14-inch laptop in the first half of 2027. 

The biggest surprise, however, will be a brand-new design language. The outlet describes it as "a revamped entry-level MacBook Pro, code-named K104."

Read more
Study finds humans will talk to AI ghosts of the dead as reincarnations, and it’s pretty grim
The first AI ghost study is in. The results are about as complicated as you'd expect.
VR Headset, Person, Face

A new study from the University of Colorado Boulder confirms something that sounds both impressive and concerning. People find interacting with AI simulations of their dead loved ones deeply meaningful, and most will come away wanting to do it again.

The researchers call it a "generative ghost," which is a clear reference to generative AI, but I’d still prefer to call it unsettling.

Read more