The first quarter of 2021 has been a busy quarter for the Project Zero (P0) team as they announced 16 “in the wild” zeros days. That is one new announcement a week on average. This is great for driving news cycles or if you’re in marketing and need some FUD to help sales. This isn’t so great if you are on a security team and have to deal with the buzz these announcements cause every week; redirecting time and resources that could otherwise be used by your team to remove the existing risk on your network.
Here is a quick breakdown of the 16 CVEs that P0 has released this year:
CVE | Product | Known Exploit |
CVE-2021-1647 | Microsoft Defender | TRUE |
CVE-2021-1782 | iOS | FALSE |
CVE-2021-1870 | iOS | FALSE |
CVE-2021-1871 | iOS | FALSE |
CVE-2021-21148 | Google Chrome | FALSE |
CVE-2021-21017 | Acrobat Reader | FALSE |
CVE-2021-1732 | Microsoft Windows | TRUE |
CVE-2021-26855 | Microsoft Exchange | TRUE |
CVE-2021-26857 | Microsoft Exchange | TRUE |
CVE-2021-26858 | Microsoft Exchange | TRUE |
CVE-2021-27065 | Microsoft Exchange | TRUE |
CVE-2021-21166 | Google Chrome | FALSE |
CVE-2021-26411 | Microsoft IE | FALSE |
CVE-2021-21193 | Google Chrome | FALSE |
CVE-2021-1879 | iOS | FALSE |
CVE-2020-11261 | Android | FALSE |
Of the 16 announcements by P0, only 6 of them have publicly available proof of concept code and only the Exchange CVEs have been weaponized as far as I can tell. That means a lot of companies have spent a lot of resources rushing emergency patches out to their systems to defend against zero-days that make huge news headlines like these:
The problem is while I am sure that this is a legitimate iOS security vulnerability and P0 probably did observe one group of actors using it against another group of actors; but what risk does it pose to the average system and person on the internet?
It’s important that security teams know that they need to put out the proverbial “fire” when the “exploited in the wild” alarm is sounding. Unfortunately, a lot of these disclosures are like a fire alarm that sounds anytime there is a fire anywhere in your city versus in your actual building. If this happens too often, teams will lose faith in the “in the wild” moniker and may skip critical vulnerabilities; or alternatively, teams may exert time fixing low-risk vulnerabilities that make the headlines instead of the widely exploited vulnerabilities that are actively being used by cybercriminals.
SideBar:
Vulnerabilities likely to introduce the most likely risk to your environment are vulnerabilities that have high volume (Windows vulnerabilities) and vulnerabilities with a high velocity of exploitations (Notpetya ransomware and Mirai botnet) and should be treated differently than vulnerabilities that are low volume targeted attacks that make up the vast majority of these P0 CVEs.
To be blunt, if an exploit is being used to target a group of people by a nation-state, it should be reported, but it is not the same as a widespread automated exploit with public code and many groups exploiting it, and it shouldn’t be treated as such. Even if we added a modifier like “privately exploited in the wild” and “publically exploited in the wild” it would be easier for security teams to understand the true risk and when they need to quickly patch their systems.
Until we figure this out I am going to go reboot my iPhone because I have to protect myself from another zero-day.