Security News > 2021 > February > Rubbish software security patches responsible for a quarter of zero-days last year
To limit the impact of zero-day vulnerabilities, Google security researcher Maddie Stone would like those developing software fixes to stop delivering shoddy patches.
"Looking at them all together as a group, the number that stuck out the most to me was that six out of the 24 zero-days exploited in 2020 are variants of previously disclosed vulnerabilities," she said.
"On top of that, three out of the 24 vulnerabilities were incompletely patched, meaning that with just a few tweaks, you could have an exploit that still works even after the patch was applied."
In January 2018, she explained, a security researcher reported multiple Internet Explorer vulnerabilities to Microsoft.
In February 2020, Sergei Glazunov, a Project Zero researcher, found that there was a zero-day exploiting CVE-2019-13764 despite the patch.
"We need correct and comprehensive patches for all vulnerabilities from our vendors," she said.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/03/enigma_patch_zero/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-10 | CVE-2019-13764 | Type Confusion vulnerability in multiple products Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |