Vendors should fix the root cause of a vulnerability, rather than block just one path to triggering it, says Google
Google’s Project Zero team revealed that a quarter of zero-day exploits detected in 2020 could have been prevented had the vendors issued proper patches for the underlying security flaws. In its Year in Review bloggpost, the team said that of the 24 zero-days that were detected in the wild, six were related to previously disclosed vulnerabilities.
“Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit,” said Maddie Stone, a Project Zero security researcher.
The list includes CVE-2020-0674, a zero-day that affected Internet Explorer and is a variant of CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429, all three of which had previously been exploited in the wild.
Among the other zero-days singled out is CVE-2020-27930 which was one of the three zero-day bugs quashed by Apple in November 2020 and was also related to an earlier security loophole – CVE-2015-0093. A vulnerability in the FreeType library, which is indexed as google better patching could prevented
