Risk
12/31/2013
09:15 AM
50%
50%

4 Trends In Vulnerabilities That Will Continue In 2014

Bounty programs will continue to expand, more researchers will focus on embedded devices and libraries, and security software will find itself under more scrutiny

Vulnerabilities are an ever-present problem, but each year the trends in vulnerabilities are somewhat different. In 2013, slightly fewer vulnerabilities were reported than in the previous year, but because of the expansion of bounty programs, more researchers got paid for their research than in previous years.

This coming year, a number of nascent trends will likely become more pronounced. Researchers will have a broader market for their research, and more vulnerability research will be focused on embedded devices, popular libraries, and security software, experts say.

"A lot of the vulnerabilities that came out this year are issues that are not going to go away anytime soon," says HD Moore, chief research officer for vulnerability management firm Rapid7.

In 2014, Microsoft will also bring the end of support for Windows XP, one of the most popular OSes targeted for exploitation. By the time people pay their taxes, Microsoft's support for the venerable operating system -- originally released in October 2001 -- will have ended. That will likely shift the effort that researchers, and attackers, put into finding vulnerabilities, Moore says.

While finding and fixing vulnerabilities are important tasks -- not to mention, preventing vulnerabilities by adding secure programming techniques to development processes -- companies should expect that attackers will find vulnerabilities in the software that they use and take appropriate measures.

"If you are a valuable target, you have to assume that you are already compromised and that you will get compromised again," Stefan Frei, director of research for security-information firm NSS Labs, said in an interview earlier this month.

As 2013, comes to a close, vulnerability experts identified the trends they expect to continue in the coming year.

1. More pay for researchers
Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest. Hewlett-Packard's Zero Day Initiative (ZDI), which pays a modest bounty for vulnerabilities in enterprise software products, has accepted almost 290 vulnerabilities from researchers this year, up from the 203 issues that the company paid for last year.

"We are seeing a steady increase in researchers in our program, especially from the Pac-Asia region, Russia, and the United Kingdom," says Brian Gorenc, manager of vulnerability research for ZDI.

[Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less.]

Google has led software makers in offering a wide variety of bounties for any security issues found in its products. Yet they are not alone: At least 50 vendors offer bounty programs, according to the list maintained by BugCrowd.com.

Microsoft was the biggest addition to the group this year. The company offered rewards to researchers who found vulnerabilities in its beta products and offered a hefty $100,000 for anyone who found exploits that bypassed the defenses the company built into the latest version of Windows. But Microsoft should do more, says Rapid7's Moore.

"They are getting credit for running a bounty program that is not really relevant," Moore says. "The program does not apply to the software that people are actually exploiting; it applies to the software under development."

2. Exploiting the guards
Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle, and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," Gorenc says.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies that supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer
From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

"Anytime you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."

4. Libraries under attack
Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug-and-play library, LibPNP, continued to be widespread.

"Library bugs tend to stick around for a while because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multiyear tail on those issues," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davidneville
50%
50%
davidneville,
User Rank: Apprentice
1/17/2014 | 7:36:52 PM
re: 4 Trends In Vulnerabilities That Will Continue In 2014
Dave Wichers, of OWASP fame, speaks about known vulnerabilities in libraries on Contrast Security's blog http://www1.contrastsecurity.c.... Using out-of-date libraries really is just silly.
DPAMID750
50%
50%
DPAMID750,
User Rank: Apprentice
1/1/2014 | 12:33:03 AM
re: 4 Trends In Vulnerabilities That Will Continue In 2014
RE: More pay for researchers.

It's amazing that researchers even bother with HP, Microsoft, etc, because organized crime, APT, etc, pay A LOT MORE for zero days and unknown vulnerabilities.

Let's just hope the cheapness of executives at HP, Microsoft, etc, doesn't end up coming back to bite them if/when they battle a multi-front war against (formerly friendly) researchers, organized crime, nation states, and other APT related threats.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.