Google: Delayed Updates Make N-Days as Critical as Zero-Days

Google's fourth annual year-in-review of zero-day exploits emphasized the concerning issue of n-days on Android acting as effective 0-days for threat actors. Due to long delays in distributing and incorporating patches, threat actors are able to exploit n-day vulnerabilities that have yet to be fixed, leaving the device and user behind it completely vulnerable.

The complexity of the Android ecosystem is at the core of this problem, involving multiple stages between the upstream vendor (Google) and the downstream manufacturer (phone manufacturers). This results in significant disparities in security update intervals across various device models, short support periods, responsibility mix-ups, and other related issues.

Google pointed out that due to these problems, it can take several months for device manufacturers to incorporate a patch into their own versions of Android. As a result, vulnerabilities can exist for extended periods without being addressed — attackers can continue to utilize known exploitation methods or create their own to target vulnerable devices.

Maddie Stone, a Security Researcher at Google's Threat Analysis Group (TAG), highlighted the significant advantage this offers to attackers. She stated, "This is a great case for attackers. Attackers can use the known n-day bug, but have it operationally function as a 0-day since it will work on all affected devices."

In 2022, a total of 41 zero-days were identified, marking a significant 40% decrease from the previous year's count of 69. Despite this decline, the effectiveness of n-day vulnerabilities as exploitable targets has not witnessed a corresponding reduction, leaving attackers with ample attackable surfaces. Meanwhile, Google pointed out the inadequacy of current patching methods, which merely address the specific exploit technique detected, rather than tackling the vulnerability as a whole.