Sign In

Communications of the ACM

ACM News

Google Says It's Too Easy for Hackers to Find New Security Flaws

View as: Print Mobile App Share:
Reviewing code execution for issues.

A security researcher at Google says it is too easy for hackers to keep exploiting insidious zero-day vulnerabilities because companies are not doing a good job of permanently shutting down flaws and loopholes.

Credit: Lewis Ngugi/Unsplash

In December 2018, researchers at Google detected a group of hackers with their sights set on Microsoft's Internet Explorer. Even though new development was shut down two years earlier, it's such a common browser that if you can find a way to hack it, you've got a potential open door to billions of computers.

The hackers were hunting for, and finding, previously unknown flaws, known as zero-day vulnerabilities.

Soon after they were spotted, the researchers saw one exploit being used in the wild. Microsoft issued a patch and fixed the flaw, sort of. In September 2019, another similar vulnerability was found being exploited by the same hacking group.

More discoveries in November 2019, January 2020, and April 2020 added up to at least five zero-day vulnerabilities being exploited from the same bug class in short order. Microsoft issued multiple security updates: some failed to actually fix the vulnerability being targeted, while others required only slight changes that required just a line or two to change in the hacker's code to make the exploit work again.

This saga is emblematic of a much bigger problem in cybersecurity, according to new research from Maddie Stone, a security researcher at Google: that it's far too easy for hackers to keep exploiting insidious zero-days because companies are not doing a good job of permanently shutting down flaws and loopholes.

The research by Stone, who is part of a Google security team known as Project Zero,  spotlights multiple examples of this in action, including problems that Google itself has had with its popular Chrome browser. 

"What we saw cuts across the industry: Incomplete patches are making it easier for attackers to exploit users with zero-days," Stone said on Tuesday at the security conference Enigma. "We're not requiring attackers to come up with all new bug classes, develop brand new exploitation, look at code that has never been researched before. We're allowing the reuse of lots of different vulnerabilities that we previously knew about."

From MIT Technology Review
View Full Article



No entries found