Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Trend Micro’s ZDI Looks to Acquire More Vulnerabilities in 2019

    By
    Sean Michael Kerner
    -
    January 18, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Trend Micro ZDI

      2018 was a big year for security vulnerabilities, and 2019 is on track to be even bigger, according to Trend Micro’s Zero Day Initiative.

      ZDI is in the business of acquiring vulnerabilities from security researchers and then responsibly reporting them to vendors. In 2018, ZDI published 1,444 security advisories, which was 42 percent more than it published in 2017. ZDI has a policy where it gives vendors 120 days to fix reported flaws, before it publicly discloses them. In 2018, ZDI reported that the vast majority of vendors responded and fixed issues inside of the disclosure window, with only 158, or 11 percent, of all vulnerabilities that ZDI reported in 2018 not meeting that threshold.

      “Overall, just the volume of bug reports was a surprise. We expected 2018 to be larger than 2017, but not 40 percent larger,” Dustin Childs, director of communications for ZDI, told eWEEK. “Another surprise may be in what didn’t happen. There weren’t as many new areas of research as we would have predicted.”

      Childs added that it seems there are plenty of bugs left to be found in current areas to keep researchers busy. The busiest area for security research reports acquired by ZDI in 2018 was for PDF-related flaws involving Adobe and Foxit. ZDI acquired 257 bug reports for Foxit and 238 for Adobe in 2018, as researchers continue to discover flaws in PDF technology.

      “The volume of PDF bug reports has been growing over the last couple of years,” Childs said. “Given how broad that attack surface is, there doesn’t seem to be a slowdown coming in the near future.”

      2018 was also a busy year for Microsoft flaws, with ZDI acquiring 124 security vulnerabilities. Of those, 47 percent were browser-related, impacting one of Microsoft’s web browsing technologies, including Internet Explorer, Edge and VBScript bugs. Severity of the flaws acquired by ZDI varied, with 60 percent of all flaws rated at medium severity and 33 percent rated as high or critical severity.

      Patching

      One of the largest challenges that ZDI saw facing vendors in 2018 were reports of flaws in existing patches—that is, issues for which a vendor already issued a patch but security researchers were still able to exploit the issue or find additional areas of risk.

      “What we are seeing is analogous to doctors treating symptoms instead of the underlying disease,” Childs said. “Vendors are often choosing point fixes rather than addressing the underlying problem.”

      Childs added that sometimes it’s understandable that a vendor only does point fixes, as a full fix may require removing an entire feature or library. Other times, he noted, it may be an application compatibility issue. Whatever the reason, Childs said there are many examples of vendors not correcting the underlying problem, which results in multiple patches being needed to fully address of vulnerability.

      Pwn2Own

      While ZDI acquires bugs year-round, it also has events and campaigns for vulnerability acquisition. Among the most active and lucrative is the annual Pwn2Own event, which awards cash prizes to security researchers who are able to demonstrate vulnerabilities against software in a live setting.

      In the past, Pwn2Own has focused on web browser and virtualization technologies, but in 2019 the scope is expanding to also include automotive technology, with Tesla as a target. ZDI will award a top prize of $300,000 and a new Tesla Model 3 for a successful exploit.

      “The automotive category is definitely a new area for us, but it follows the trend of us adding different devices and targets at Pwn2Own to keep the contest fresh and relevant,” Childs said.

      Childs said Tesla joins returning partner Microsoft and sponsor VMware for this year’s event and is providing some of the funding. There are multiple Microsoft targets at Pwn2Own 2019, including a top prize of $250,000 for a successful virtualization exploit of Hyper-V that enables guest to host escalation. The top prize from VMware is for an exploit of the ESXi virtualization technology that enables the guest OS to execute code on the host OS.

      Browsers are always a primary target at Pwn2Own, and for 2019, ZDI is offering a top prize of $80,000 for exploits in Google Chrome and Microsoft Edge. An exploit of Apple’s Safari browser that enables a privilege escalation in the macOS kernel will earn a successful researcher a top prize of $65,000. The top prize for a Windows kernel escalation of privilege via Mozilla Firefox will result in a $50,000 award.

      Linux

      Notably absent from the target list for Pwn2Own 2019 are any Linux targets, which had been in the program in years past. In 2017, for example, Ubuntu Linux was exploited on the first day of the Pwn2Own competition. ZDI has now moved its Linux and server targets to a different effort known as the Targeted Incentive Program.

      “When we started our Targeted Incentive Program, part of the thought was how we could extend Pwn2Own for months instead of days,” Childs said. “Some of these targets require a huge amount of research to find and craft a full exploit. Many of the Linux targets we’re most interested in, things like Apache and NGINX, have shifted to that program.”

      Pwn2Own 2019 takes place in Vancouver, Canada, from March 20-22 at the CanSecWest conference.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×