2018 was a big year for security vulnerabilities, and 2019 is on track to be even bigger, according to Trend Micro’s Zero Day Initiative.
ZDI is in the business of acquiring vulnerabilities from security researchers and then responsibly reporting them to vendors. In 2018, ZDI published 1,444 security advisories, which was 42 percent more than it published in 2017. ZDI has a policy where it gives vendors 120 days to fix reported flaws, before it publicly discloses them. In 2018, ZDI reported that the vast majority of vendors responded and fixed issues inside of the disclosure window, with only 158, or 11 percent, of all vulnerabilities that ZDI reported in 2018 not meeting that threshold.
“Overall, just the volume of bug reports was a surprise. We expected 2018 to be larger than 2017, but not 40 percent larger,” Dustin Childs, director of communications for ZDI, told eWEEK. “Another surprise may be in what didn’t happen. There weren’t as many new areas of research as we would have predicted.”
Childs added that it seems there are plenty of bugs left to be found in current areas to keep researchers busy. The busiest area for security research reports acquired by ZDI in 2018 was for PDF-related flaws involving Adobe and Foxit. ZDI acquired 257 bug reports for Foxit and 238 for Adobe in 2018, as researchers continue to discover flaws in PDF technology.
“The volume of PDF bug reports has been growing over the last couple of years,” Childs said. “Given how broad that attack surface is, there doesn’t seem to be a slowdown coming in the near future.”
2018 was also a busy year for Microsoft flaws, with ZDI acquiring 124 security vulnerabilities. Of those, 47 percent were browser-related, impacting one of Microsoft’s web browsing technologies, including Internet Explorer, Edge and VBScript bugs. Severity of the flaws acquired by ZDI varied, with 60 percent of all flaws rated at medium severity and 33 percent rated as high or critical severity.
One of the largest challenges that ZDI saw facing vendors in 2018 were reports of flaws in existing patches—that is, issues for which a vendor already issued a patch but security researchers were still able to exploit the issue or find additional areas of risk.
“What we are seeing is analogous to doctors treating symptoms instead of the underlying disease,” Childs said. “Vendors are often choosing point fixes rather than addressing the underlying problem.”
Childs added that sometimes it’s understandable that a vendor only does point fixes, as a full fix may require removing an entire feature or library. Other times, he noted, it may be an application compatibility issue. Whatever the reason, Childs said there are many examples of vendors not correcting the underlying problem, which results in multiple patches being needed to fully address of vulnerability.
While ZDI acquires bugs year-round, it also has events and campaigns for vulnerability acquisition. Among the most active and lucrative is the annual Pwn2Own event, which awards cash prizes to security researchers who are able to demonstrate vulnerabilities against software in a live setting.
In the past, Pwn2Own has focused on web browser and virtualization technologies, but in 2019 the scope is expanding to also include automotive technology, with Tesla as a target. ZDI will award a top prize of $300,000 and a new Tesla Model 3 for a successful exploit.
“The automotive category is definitely a new area for us, but it follows the trend of us adding different devices and targets at Pwn2Own to keep the contest fresh and relevant,” Childs said.
Childs said Tesla joins returning partner Microsoft and sponsor VMware for this year’s event and is providing some of the funding. There are multiple Microsoft targets at Pwn2Own 2019, including a top prize of $250,000 for a successful virtualization exploit of Hyper-V that enables guest to host escalation. The top prize from VMware is for an exploit of the ESXi virtualization technology that enables the guest OS to execute code on the host OS.
Browsers are always a primary target at Pwn2Own, and for 2019, ZDI is offering a top prize of $80,000 for exploits in Google Chrome and Microsoft Edge. An exploit of Apple’s Safari browser that enables a privilege escalation in the macOS kernel will earn a successful researcher a top prize of $65,000. The top prize for a Windows kernel escalation of privilege via Mozilla Firefox will result in a $50,000 award.
Notably absent from the target list for Pwn2Own 2019 are any Linux targets, which had been in the program in years past. In 2017, for example, Ubuntu Linux was exploited on the first day of the Pwn2Own competition. ZDI has now moved its Linux and server targets to a different effort known as the Targeted Incentive Program.
“When we started our Targeted Incentive Program, part of the thought was how we could extend Pwn2Own for months instead of days,” Childs said. “Some of these targets require a huge amount of research to find and craft a full exploit. Many of the Linux targets we’re most interested in, things like Apache and NGINX, have shifted to that program.”
Pwn2Own 2019 takes place in Vancouver, Canada, from March 20-22 at the CanSecWest conference.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.