HP TippingPoint’s Zero Day Initiative (ZDI), which year-round pays researchers for responsible disclosure of security flaws and sponsors events like Pwn2Own, enjoys a vantage view into the state of security research.
In 2012 ZDI published 203 advisories on a long list of vulnerabilities. ZDI identified Microsoft as being the top vendor target for researchers, with over 100 submissions.
While 2012 was a busy year for new ZDI vulnerability disclosures, the actual attacks weren’t entirely new. Brian Gorenc, manager of the Zero Day Initiative, told eSecurity Planet that security researchers were not necessarily submitting new classes of vulnerabilities in 2012.
“We saw steady submissions of buffer overflows and use-after-free vulnerabilities as well as SQL injections,” Gorenc said. “We focus on remote code execution vulnerabilities, so those are the types of things that people submit to us”
What did change somewhat in 2012 was the submission of the same bug classes against products in the mobile space. Because mobile devices have a significantly large attack surface, researchers are now turning their attention in that direction, Gorenc noted.
“As people are using more mobile devices, we’re seeing a shift in research to those areas because that’s where the valuable information is,” Gorenc said.
Microsoft a Big Target
Microsoft remains a top target for security researchers, though in 2012 ZDI did not see a lot of Windows 8 specific submissions. Gornec noted that the majority of submissions against Microsoft involved Internet Explorer (IE).
The ZDI Pwn2Own contest specifically engages researchers to find browser vulnerabilities during a live event.
Google ran a parallel event called Pwnium at the 2012 Pwn2own event, offering researchers the chance at a larger individual prize than the award offered by ZDI. Pwn2own’s top prize of $60,000 was awarded based on a point system across several vulnerabilities. In contrast, Pwnium paid out $60,000 for a single event and vulnerability disclosure.
Gorenc said his group doesn’t get into bidding wars over vulnerabilities. He declined to provide a monetary range for what ZDI paid for security research during 2012. “We offer what we think that value of the vulnerability is and the researcher has the right to accept or reject it. Most of the time they accept it.”
Better Reporting Means Better Fixes
Over the course of 2012, Gorenc said he saw security researchers submit better write-ups of vulnerabilities. There are a number of different things that constitute a solid research report. It’s not enough to simply say that a product is vulnerable to an exploit.
“We’re focused on determining what the root cause is for vulnerability and helping the vendor pinpoint the mitigations that can be put in place,” Gorenc said.
In terms of what vendors can do to improve security, it’s all about improving the software development lifecycle.
“If you catch bugs earlier on during development, it costs less to fix than once it gets out in public,” Gorenc said. “Not every bug is exploitable, but a bug is a bug and software developers need to focus on improving the maturity and quality of products that come out.”