HP Security Research Threat Intelligence Briefing episode 10 - ZDI 2013 in review

ZDI and vendors worked together to publicly disclose 286 advisories in 2013. We paid out more than $2.1 million (USD) to researchers in vulnerability purchases, rewards and contest payouts. That’s a considerable sum and evidence of HP’s commitment to security research and responsible disclosure. It also provided great zero-day protection for users of HP’s Tipping Point IPS and -- possibly more importantly -- made the ecosystem safer for everybody.

 

Our external researchers took advantage of the bonuses offered in our benefits program in 2013. We had 25 researchers reach reward bonus levels in 2013. Ten of the researchers reached the Diamond level – the highest level in the program -- which is a record. More interesting is that two of those researchers achieved this status through case submission alone (no contests and no multipliers) in their first year. Seriously. This follows a trend we’ve seen recently -- new researchers joining with high-quality submissions and excellent analysis. Naturally this work is valued and well-rewarded in our program.

 

Last year brought its fair share of use-after-frees, buffer overflows, and directory traversals, but one of our favorite types of vulnerability was the Java sandbox bypass. Our external researchers’ focus on Java didn’t, however, result in it being the most targeted application of 2013. That spot went to Microsoft’s Internet Explorer. We witnessed a 123% increase in submissions by our external researchers for this specific software over the previous year. What was the reason for this increase? There are most likely multiple reasons. One is that many of our researchers, who used to focus on file-format or server-side issues, have moved on to tackle the complexity of browsers. Another reason is that there were several highly publicized, targeted attacks that utilized Internet Explorer as the initial vector to gain remote code execution. This additional attention almost always generates new submissions as researchers tweak their fuzzers based on publicly available proofs of concept.

 

Of the over 65 different applications targeted by our researchers, the top products in order of popularity were:

  1. Microsoft Internet Explorer
  2. Oracle Java
  3. Hewlett-Packard Intelligent Management Center
  4. Apple QuickTime
  5. Hewlett-Packard Data Protector

The upshot of analyzing all this case data is that we get a good view of the threat landscape. Each product presents a unique attack surface, and with enough time and persistence our researchers were able to pinpoint previously undiscovered weaknesses. With the focus on the browser, it is not surprising to see use-after-free and other memory corruption issues top the list as the most common vulnerability types uncovered by our researcher community.

 

One interesting vulnerability type that showed up often this year was directory traversal. During the year, many researchers started digging deeper into the code behind web services and it just so happens that it is littered with directory-traversal issues. This type of issue typically results in arbitrary file writes with attacker-controlled data, or disclosure of sensitive information that could later be used to compromise the application.

 

Finally, we turn our attention to the vendors and examine how they performed last year. The Zero Day Initiative has a unique perspective on how vendors handle vulnerabilities discovered in their products. We get the opportunity to work through the process of responsible disclosure with every major software vendor’s security response team. Some vendors’ response teams are well-oiled machines and others, well, could use some oil. All that said, the top 10 vendors on average took 122 days to fix a vulnerability coming from the Zero Day Initiative in 2013. On that note, here are the top five vendors of applications targeted by our researchers in 2013:

  1. Microsoft
  2. Hewlett-Packard
  3. Oracle
  4. Apple
  5. EMC

(If you slice the submission data by most popular vendor targeted, you witness EMC joining the list of popular targets. In fact, vulnerabilities in three different EMC products were submitted during the year.)

 

Looking ahead in 2014, we will continue to work to make vulnerability research attractive to white hat researchers and encourage responsible disclosure of critical issues. We expect to see continued focus on the mobile attack surface, embedded software, and SCADA. Another interesting trend we are seeing is researchers finding vulnerabilities in security software itself. Will attackers start taking advantage of the very software and systems designed to protect against attacks? Only time will tell. No matter what happens, ZDI will be there to help by incentivizing researchers to responsibly disclose vulnerabilities and secure the software we all rely on.

 

This post is both a taste and a snapshot – you can find a lot more detail in our episode 10 podcast (on the web or iTunes) and accompanying report – including wrap-ups of both of 2013’s Pwn2Own and Mobile Pwn2Own contests.

 

Not enough for you? Want more data on different aspects of security, including vulnerabilities, malware and mobile? Then might I shamelessly suggest the HP Security Research 2013 Risk Report - as luck would have it, serendipitously released today? Get it while the data’s fresh.

 

Brian Gorenc

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.