Google’s Project Zero security team has been doing research that found 11 zero-day vulnerabilities which have been actively exploited in the first half of 2020.
The researchers started tracking zero-day vulnerabilities in an internal spreadsheet that started in 2014. Although, a year ago in May, Project Zero had uploaded its tracking spreadsheet for zero-days to the public as they had started a “more focused effort on analyzing and learning from these exploits.”
In a blog post, Maggie Stone, a Project Zero security researcher explained how the team had been tracking zero-day vulnerabilities:
“The largely steady number of detected 0-days might suggest that defender detection techniques are progressing at the same speed as attacker techniques. That could be true. Or it could not be. The data in our spreadsheet are only the 0-day exploits that were detected, not the 0-day exploits that were used. As long as we still don’t know the true detection rate of all 0-day exploits, it’s very difficult to make any conclusions about whether the number of 0-day exploits deployed in the wild is increasing or decreasing. For example, if all defenders stopped detection efforts, that could make it appear that there are no 0-days being exploited, but we’d clearly know that to be false.”
Till now, 11 zero-day vulnerabilities have been found being exploited in the wild which means 2020 is on the road to having as many zero-days as the previous year when the team had found 20-zero days.
Microsoft has taken the number one spot as the company with the most zero-vulnerability day as it has four zero-day vulnerabilities, Mozilla comes in second with three days and Trend Micro with two.
All of the zero-days in Project Zero’s spreadsheets have been patched.
In 2015, the vulnerabilities were as high as 29, but since the security team has been actively tracking them, these numbers have come down.
Project Zero has a review blog post that explains zero-days in detail and expands on each of the vulnerabilities found.