Full Report
Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023. Of the 75 zero-days, 44% of them targeted enterprise products. As many as 20 flaws were identified in security software and appliances. "Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for
Analysis Summary
As a vulnerability research specialist, I will summarize the provided information focusing only on the specific vulnerabilities and associated CVEs mentioned in the context.
# Vulnerability: Zero-Day Exploits Against Apple, Android, Firefox, and Enterprise Software (2024 Overview)
## CVE Details
This summary focuses on the specific CVEs mentioned in the context related to exploitation chains:
- **CVE-2023-46805**: (Severity Score/CWE not provided in text)
- **CVE-2024-21887**: (Severity Score/CWE not provided in text)
- **CVE-2024-53104**: (Severity Score/CWE not provided in text)
- **CVE-2024-32896**: (Severity Score/CWE not provided in text)
- **CVE-2024-29745**: (Severity Score/CWE not provided in text)
- **CVE-2024-29748**: (Severity Score/CWE not provided in text)
- **CVE-2024-55956**: (Severity Score/CWE not provided in text)
- **CVE-2024-21338**: (Severity Score/CWE not provided in text)
- **CVE-2024-38178**: (Severity Score/CWE not provided in text)
- **CVE-2024-9680** (Firefox/Tor): (Severity Score/CWE not provided in text)
- **CVE-2024-49039** (Firefox/Tor): (Severity Score/CWE not provided in text)
- **CVE-2024-44308** (Apple/WebKit): (Severity Score/CWE not provided in text)
- **CVE-2024-44309** (Apple/WebKit): (Severity Score/CWE not provided in text)
## Affected Systems
Due to the nature of the article summarizing 75 exploited zero-days, specific comprehensive lists are unavailable. However, vendors and products explicitly mentioned in relation to exploits include:
- **Products:** Microsoft Windows, Apple Safari, iOS, Android, Chrome, Mozilla Firefox, Ivanti, Palo Alto Networks, Cisco.
- **Versions:** The precise vulnerable versions for most CVEs are not specified, only that they were targeted in 2024.
- **Configurations:** Three of seven exploited Android zero-days were found in third-party components.
## Vulnerability Description
The article details several exploitation chains active in 2024:
1. **Ukraine Diplomatic Academy Compromise:** A malicious JavaScript injection targeted the website, triggering an exploit for **CVE-2024-44308**, followed by **CVE-2024-44309** (a cookie management vulnerability in WebKit). This allowed an XSS attack to collect user cookies for unauthorized access to `login.microsoftonline[.]com`.
2. **Firefox/Tor Exploit Chain:** An exploit chain involving **CVE-2024-9680** and **CVE-2024-49039** was used to break out of the Firefox sandbox and execute malicious code with elevated privileges, leading to the deployment of the RomCom RAT.
## Exploitation
- **Status:** **Exploited in the wild** (75 zero-days observed exploited in 2024).
- **Complexity:** Exploitation chains involving multiple zero-days were almost exclusively (90%) used against mobile devices.
- **Attack Vector:** Varied (Network, Local, etc., depending on the specific CVE, but several involved watering hole attacks and sandbox escapes).
## Impact
Impact levels (Confidentiality, Integrity, Availability) are not explicitly scored for the listed CVEs, but based on observed outcomes:
- Confidentiality: High (Cookie theft, unauthorized access, RAT deployment).
- Integrity: High (Arbitrary code execution, privilege escalation).
- Availability: Not the primary focus, but potential denial of service is possible with RAT deployment/system compromise.
## Remediation
### Patches
The article implies that vendors (like Google and Apple) discovered and subsequently patched these issues, but **specific patch versions relating to the listed CVEs are not provided.**
* *Note: Google confirmed patching 47 Android security flaws in a separate report referenced by the text, suggesting patches for Android CVEs exist.*
### Workarounds
No specific, guaranteed workarounds for the individual CVEs are listed beyond the broader mitigation strategies below.
## Detection
- **Indicators of Compromise:** Malicious JavaScript injections on websites, redirection to attacker-controlled domains hosting exploit chains, and deployment of RomCom RAT.
- **Detection Methods and Tools:** Threat intelligence tracking of state-sponsored and financially motivated activity clusters (e.g., those attributed to China, Russia, North Korea, and CIGAR).
## References
- Vendor Advisories: Not provided directly, but linked to Google Threat Intelligence Group (GTIG) reporting and references to vendor actions (e.g., Apple releasing urgent updates).
- Relevant Links:
- https[:]//cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends
- hxxp[:]//thehackernews.com/2024/04/researchers-identify-multiple-china.html (Related to CVE-2023-46805)
- hxxp[:]//thehackernews.com/2024/01/chinese-hackers-exploit-zero-day-flaws.html (Related to CVE-2024-21887)
- hxxp[:]//thehackernews.com/2025/02/google-patches-47-android-security.html (Related to CVE-2024-53104)
- hxxp[:]//thehackernews.com/2024/09/google-confirms-cve-2024-32896.html (Related to CVE-2024-32896)
- hxxp[:]//thehackernews.com/2024/04/google-warns-android-zero-day-flaws-in.html (Related to CVE-2024-29745, CVE-2024-29748)
- hxxp[:]//thehackernews.com/2024/12/cleo-file-transfer-vulnerability-under.html (Related to CVE-2024-55956)
- hxxp[:]//thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html (Related to CVE-2024-21338)
- hxxp[:]//thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html (Related to CVE-2024-38178)
- hxxp[:]//thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html (Related to CVE-2024-9680, CVE-2024-49039)
- hxxp[:]//thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html (Related to CVE-2024-44308, CVE-2024-44309)