Google says it’s too easy for hackers to find new security flaws
The problem: Security researchers detected similar, previously-unknown flaws, known as zero-day vulnerabilities, in Microsoft products in December 2018, September 2019, November 2019, January 2020, and April 2020. This saga is emblematic of a much bigger problem in cybersecurity, according to new research from Maddie Stone, a security researcher at Google: that it’s far too easy for hackers to keep exploiting insidious zero-days because tech companies are not doing a good job of permanently shutting down flaws and loopholes.
The size of the issue: Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working.
Why aren’t they being fixed? Most of the security teams working at software companies have limited time and resources— and if their priorities and incentives are flawed, they only check that they’ve fixed the very specific vulnerability in front of them instead of addressing the bigger problems at the root of many vulnerabilities. A big part of changing this comes down to time and money.
