Google has just released yet another emergency security update for its Chrome web browser on desktop platforms. This brings the total number of emergency zero-day vulnerability bug fixes to a troubling eight this year alone. In the analysis below, we’ll explore what a zero-day exploit is and how vulnerabilities like that, which Google is currently trying to get a handle on, happen.
This article will likely contain a plethora of terms and phrases used in the software development spheres but rarely in general conversation. Therefore, we’ll try as far as possible to explain this terminology in more accessible language.
What is a zero-day vulnerability?
In the most basic terms, a zero-day vulnerability is a weak point in a system’s software that the original developers, coders, and vendors of the software have yet to discover. Zero-day vulnerabilities are incredibly lucrative for those who find them, and detrimental to the vendors of the affected software, their customers, and the wider public who utilize the software.
In a 2021 article entitled What is the Current State of Zero-day Exploit Market, Lifars.com estimated zero-day vulnerabilities to be worth anything from $60,000 – as in the case with Adobe Reader) and $2,500,000 – as in the case of Apple’s iOS operating system. These are actual prices that threat actors have paid for single zero-day vulnerabilities. Simply put, if you manage to find a zero-day vulnerability within any popular piece of software’s code, you could be looking at a massive windfall. You’re more likely looking at severe punishment, though. As lucrative as the zero-day trade is, it’s also incredibly risky.
The term zero-day is derived from the timeframe that the vendor’s developers and coders have had to create a patch; zero days. Zero-day is essentially the state of a vulnerability in a system before it is officially discovered by the vendor so that a patch can be created and distributed. This is why these types of vulnerabilities are so lucrative; they’re unknown to all except the threat actor who discovers them. Therefore, they’re an opportunity for a larger threat actor to gain access to data without users’ knowledge or potentially bring a service or entire company to its knees.
What causes a zero-day vulnerability?
In many cases, vulnerabilities exist as a result of an error in a system’s code. If you make a syntax error when writing code, such as omitting a semi-colon or misspelling an instruction, your compiler will usually tell you exactly where the issue is so that you can fix it. However, other mistakes outside of the syntax realm are not always as easily spotted.
Zero-day vulnerabilities are caused by the same errors as other vulnerabilities. The only difference is that a zero-day hasn’t been noticed by the vendor and is instead uncovered by a threat actor or someone intending to sell their discovery to a threat actor. In short, zero-day vulnerabilities are often caused by errors in a system’s code.
Why are zero-day vulnerabilities so dangerous?
The entire nature of a zero-day vulnerability means that its danger lies in its potential. As we’ve mentioned, zero-day is the prefix automatically assigned to a vulnerability before the vendor or developer invested in the product’s safety and that of its users knows about it. As soon as a threat actor discovers a vulnerability, it becomes a zero-day vulnerability.
This is another reason these vulnerabilities are so dangerous. The vendor doesn’t know there’s a problem, and therefore, the vendor can do nothing to rectify the issue. The vendor is, at this stage, clueless and incredibly vulnerable.
There have been many zero-day vulnerabilities since the advent of technology and computing. However, the reason that this term strikes so much fear in the hearts and minds of billions of people is that there are so many that have not been solved. The only way to know what the issue is is for the developer or the vendor to have knowledge about the vulnerability. However, in some cases, that knowledge only amounts to the awareness that your system is compromised, not how the compromise was achieved.
One of these largely unsolved issues is Stuxnet, a worm-type exploit that was, allegedly, tasked with attacking Iran’s nuclear program. The vendor, in this case, the Iranian establishment, knew that there was a problem. Their gas centrifuges, a mechanical system for separating nuclear material, started tearing themselves apart.
There was mass physical damage, and it set Iran’s nuclear program back considerably. However, while Western establishments are widely believed to be behind the attack on Iran’s nuclear program, no one has claimed responsibility for the attacks. No threat actor has been identified as yet. Stuxnet isn’t even a relic of the past. The worm is still active.
Fun fact: Stuxnet was deliberately engineered to attack three core systems; Windows operating systems, Siemens software, and Siemens S7 PCs. If these three criteria are not met, the worm renders itself inert and doesn’t activate. Each instance of infection was also deliberately restrained from propagating itself to more than three other computers.
Zero-day vulnerabilities are so terrifying because the people who can fix them have no idea they exist. They’re so dangerous because it takes only one threat actor to turn a vulnerability into an exploit, and these exploits aren’t always caught by the developers or vendors.
Why does Google keep falling prey to zero-day vulnerabilities?
The simple answer is that we don’t live in a perfect world. In a perfect world, we’d release software with zero vulnerabilities, which would prevent zero-day exploits from even being a term in our modern language. Unfortunately, this is not the case, even for a massive corporation like Google.
The issue likely lies in the fact that there are so many developers, coders, and programmers that are working on Google’s software. Google reported that in 2022, it currently employs 27,169 software engineers. Of these, an estimated 200 engineers actively work on Google Chrome, the currently affected service. This doesn’t even include the people who work on the many other tasks that go into making a product like Chrome work as it should – which, by the way, is a full-time job.
Google Chrome is one of the most widely-used internet browsers, and it takes a monumental workforce to keep it stable. However, issues still manage to slip through the cracks. Perhaps because there are so many different individuals working on the program at any given time. But, without so many individuals working on Chrome, it’s likely that the product would not be the success that it is.
The latest high-severity flaw, discovered by Clement Lecigne from the company’s Threat Analysis Group on the 22nd of November 2022, is what experts call a ‘heap buffer overflow in GPU.’ The vulnerability is currently being tracked as CVE-2022-4135. The term ‘heap buffer overflow in GPU’ might sound like a bunch of tech garble, but it’s incredibly important terminology to understand. Essentially, buffer overflows result in access being granted to regions of your computer’s memory that software shouldn’t have access to. This means that threat actors have a potential back door into your system, and, thus, your data.
This is why it’s of utmost importance that you download the latest Google Chrome patch before your data is breached. These vulnerabilities will likely continue happening well into the future, but, given that this is the eighth vulnerability this year in Google Chrome, is it wise to potentially start seeking out other browsers?
Should you use another browser?
Honestly, as long as you are using a browser that uses code written by people, you’re likely going to have to deal with vulnerabilities. Errors and mistakes of all sorts underpin the entire experience of being human. Grammarly, a popular piece editing software for professionals in writing and editing, has built its entire brand upon the idea that ‘to err is human, to edit, divine.’
This is a sentiment that echoes something that Eckhart Tolle once said: ‘It is through the mistakes that the greatest learning happens on an inner level.’ The same is true for software engineering. Yes, engineers make mistakes, as does everyone else. But, we should be comforted by the fact that Google employs not just engineers but also auditors and independent contractors that put the software through its paces.
There are many teams of people dedicated to finding and solving vulnerabilities before they get exploited. However, sometimes vulnerabilities do slip through the cracks and are weaponized, and then we have a situation like the present one within which we find ourselves, where Google releases a patch that fixes the vulnerability.
Therein lies the crux of this entire issue. Yes, there are vulnerabilities, but Google has already issued a fix for the most recently discovered of these, as well as those discovered previously. Google is permanently working on Chrome’s stability.
However, if you are resolved and want to change your browser, my personal recommendation would be to try Brave. This opinion is mine alone and does not reflect the views of Softonic, an impartial party when it comes to software. However, I have found Brave to be an even more compelling browser than Chrome. Brave is far superior in its native ad-blocking technology and allows you to choose a default search engine to make the transition as smooth as possible.
For instance, I use Google as my default search engine within Brave, but I still have full access and usage to Brave’s numerous finely-tuned security protocols. While no piece of software is truly safe from vulnerabilities, Brave at least prioritizes the safety and security of your data and virtual personal space more than other browsers have managed.
Google Chrome is still #1
In terms of browsers’ capabilities, Chrome is still the most compelling choice. Apart from personal preference, you won’t find a browser with a more dedicated workforce, more resources, or better ratings.
Yes, Google has had a decidedly bad year when it comes to Chrome vulnerabilities, but that shouldn’t cause you to question the stability of the system. As stated previously, Google has teams working on Chrome’s stability at all times. With Google Chrome, you’re still in good hands.