Reviewing Google's 2024 Zero Day Report

The 2024 Zero Day report has been released by Google’s threat intelligence group.

If you’re crunched for time, feel free to take the below as your TL;DR. If you have some time, then I suggest skipping over the beginning where the report uses data to draw such dramatic conclusions as “More hamburgers are consumed in areas with higher population density!” In other words, the companies and technologies being targeted are the ones in use by the most people, and there were no callouts regarding divergent ratios.

Highlights

Some things that stood out to me:

• Sighted 0-days targeting some software, such as web browsers, are on the decline.
  • The report attributes this to strong(er) security engineering practices, however, I think it’s more a reflection that getting people to install a malicious extension or taking taking over the codebase of a popular extension is so much easier than building an 0-day. Certainly secure development is important in pushing that tradeoff, but it’s a lot more than just “we’re building you a better Chrome!”
• Contrasted with Verizon’s broader-in-scope 2025 DBIR, 0-days are used disproportionately in espionage hacking events.
  • While only 17% of all incident reports by Verizon were attributed to espionage, Google’s report identifies that nearly 30% of espionage attacks used 0-days.
• “Big tech” took the top spots among affected vendors, however, by this the report means Microsoft, Google, and Apple.
  • Also heavily impacted were vendors of networking products (like Fortinet and Palo Alto, though not mentioned by name). Are these not also “big tech”? I always thought so.
• Top 3 Vulnerability Types:
  • Use-after-free
  • Command Injection
  • XSS (yes, still… 😒)
• Commercial Surveillance Vendors (CSVs) play an increasingly prominent role in 0-day creation and acquisition. Unsurprisingly, it turns out there’s a lot of money to be made selling software that can break into a spouse’s phone to their abusers. Oh, and selling governments access to journalists’ phones can also bring in the Benjamins.

The report includes a couple “Spotlights”, one being the acquisition of a user’s browser cookies and the other being local privesc through a browser exploit chain by the CIGAR threat actor. These are both quality reports and your threat hunting and incident response teams should read them.

Conclusion

Finally, the report closes with some broad advice about how to defend against attacks that are –by their very nature– unknown. First is to digest reports like these 🤨 and the other is to keep an eye out for emerging popular tech. After all, the creation of 0-days is time-consuming and costly, so no one is spending time on something used by a few thousand people. I’d keep an eye on tech that both new and has a steep adoption curve, since the developers and security teams behind these products have not had the time to develop robust security engineering practices or deploy defense-in-depth technologies.