There Have Been Twenty Zero-Days Patched in Apple’s Operating Systems This Year ⇥ bleepingcomputer.com

Sergiu Gatlan, Bleeping Computer:

Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year.

Both of these are WebKit bugs.

According to Project Zero’s spreadsheet, Apple patched ten zero-days in 2022, thirteen in 2021, three in 2020, two in 2019, three in 2016, and none in 2018, 2017, 2015, and 2014. It seems like a similar story across the board: the 2014 spreadsheet contains just eleven entries total, while the 2023 sheet contains fifty-six so far.

It is surely impossible to know, but one wonders how much of this is caused by vendors and exploiters alike getting better at finding zero-days, and how much can be blamed on worsening security in software. That seems hard to believe with increased restrictions on how much data is simply laying around to be leaked, but perhaps that is a driver of the increasing number of reports: when you build more walls, there are more opportunities to find cracks.

Patrick Howell O’Neill reported for MIT Technology Review in 2021 that the escalating number of exploits is primarily driven by state warfare, then criminals, and that it seems like a combination of increased vigilance and bug bounty programs have improved discovery. Kevin Poireault, in Infosecurity Magazine earlier this year, reports that it is a sign of better security for more straightforward exploits, necessitating the use of more advanced techniques by adversaries.