Groundhog Day is celebrated each year in the United States and Canada on February 2. It comes from a superstition that if a groundhog emerging from its burrow on this day sees its shadow due to clear weather, it will retreat to its den and winter will persist for six more weeks; but if it does not see its shadow because of cloudiness, spring will arrive early. It is also a popular 1993 time loop movie about a weatherman who is forced to relive February 2 repeatedly.
According to a report by Google’s Project Zero there were 24 zero-day vulnerabilities detected in-the-wild in 2020. What is surprising is that 25% of those zero-days are closely related to previously publicly disclosed vulnerabilities. Just like in the movie – we relive the same vulnerabilities over and over again. Just to reiterate – 1 out of every 4 new zero-day exploits detected were essentially a rehashing of a previously known exploit that had a shoddy patch.
Here is a table from the report on how those six “rehashed: vulnerabilities evolved:
|Product||2020 vulnerability exploited in-the-wild||Variant of…|
|Microsoft Internet Explorer||CVE-2020-0674||CVE-2018-8653* CVE-2019-1367* CVE-2019-1429*|
|Mozilla Firefox||CVE-2020-6820||Mozilla Bug 1507180|
|* vulnerability was also exploited in-the-wild in previous years|
Last year’s CVE-2020-0674 is an example of a “groundhog” patch. The same underlying issue has generated 4 zero days and five patches over two years. For all four exploits, the attacker used the same vulnerability type and the same exact exploitation method.
The bottom line is that even though timely patching is still the best fix for vulnerabilities, it is far from foolproof. Patching can fail (or not be applied) for a variety of reasons – from local testing or business issues to shoddy patches. In the case of a “groundhog” vulnerability patch, there is a good chance that the exploit variants were actually around way before they were discovered.
So, what’s to be learned from all this? Even after patching devices can remain vulnerable and exploitable. Don’t assume that everything with an up-to-date patch is 100% OK. You need to continually assess and minimize the risk for your organization’s graphs (see my post on “3 Clear and Present Dangers in 2021”) using risk scenarios that include patched devices and propose a variety of mitigations to minimize risk.