Risk
12/31/2013
09:15 AM
50%
50%

4 Trends In Vulnerabilities That Will Continue In 2014

Bounty programs will continue to expand, more researchers will focus on embedded devices and libraries, and security software will find itself under more scrutiny

Vulnerabilities are an ever-present problem, but each year the trends in vulnerabilities are somewhat different. In 2013, slightly fewer vulnerabilities were reported than in the previous year, but because of the expansion of bounty programs, more researchers got paid for their research than in previous years.

This coming year, a number of nascent trends will likely become more pronounced. Researchers will have a broader market for their research, and more vulnerability research will be focused on embedded devices, popular libraries, and security software, experts say.

"A lot of the vulnerabilities that came out this year are issues that are not going to go away anytime soon," says HD Moore, chief research officer for vulnerability management firm Rapid7.

In 2014, Microsoft will also bring the end of support for Windows XP, one of the most popular OSes targeted for exploitation. By the time people pay their taxes, Microsoft's support for the venerable operating system -- originally released in October 2001 -- will have ended. That will likely shift the effort that researchers, and attackers, put into finding vulnerabilities, Moore says.

While finding and fixing vulnerabilities are important tasks -- not to mention, preventing vulnerabilities by adding secure programming techniques to development processes -- companies should expect that attackers will find vulnerabilities in the software that they use and take appropriate measures.

"If you are a valuable target, you have to assume that you are already compromised and that you will get compromised again," Stefan Frei, director of research for security-information firm NSS Labs, said in an interview earlier this month.

As 2013, comes to a close, vulnerability experts identified the trends they expect to continue in the coming year.

1. More pay for researchers
Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest. Hewlett-Packard's Zero Day Initiative (ZDI), which pays a modest bounty for vulnerabilities in enterprise software products, has accepted almost 290 vulnerabilities from researchers this year, up from the 203 issues that the company paid for last year.

"We are seeing a steady increase in researchers in our program, especially from the Pac-Asia region, Russia, and the United Kingdom," says Brian Gorenc, manager of vulnerability research for ZDI.

[Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less.]

Google has led software makers in offering a wide variety of bounties for any security issues found in its products. Yet they are not alone: At least 50 vendors offer bounty programs, according to the list maintained by BugCrowd.com.

Microsoft was the biggest addition to the group this year. The company offered rewards to researchers who found vulnerabilities in its beta products and offered a hefty $100,000 for anyone who found exploits that bypassed the defenses the company built into the latest version of Windows. But Microsoft should do more, says Rapid7's Moore.

"They are getting credit for running a bounty program that is not really relevant," Moore says. "The program does not apply to the software that people are actually exploiting; it applies to the software under development."

2. Exploiting the guards
Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle, and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," Gorenc says.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies that supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer
From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

"Anytime you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."

4. Libraries under attack
Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug-and-play library, LibPNP, continued to be widespread.

"Library bugs tend to stick around for a while because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multiyear tail on those issues," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davidneville
50%
50%
davidneville,
User Rank: Apprentice
1/17/2014 | 7:36:52 PM
re: 4 Trends In Vulnerabilities That Will Continue In 2014
Dave Wichers, of OWASP fame, speaks about known vulnerabilities in libraries on Contrast Security's blog http://www1.contrastsecurity.c.... Using out-of-date libraries really is just silly.
DPAMID750
50%
50%
DPAMID750,
User Rank: Apprentice
1/1/2014 | 12:33:03 AM
re: 4 Trends In Vulnerabilities That Will Continue In 2014
RE: More pay for researchers.

It's amazing that researchers even bother with HP, Microsoft, etc, because organized crime, APT, etc, pay A LOT MORE for zero days and unknown vulnerabilities.

Let's just hope the cheapness of executives at HP, Microsoft, etc, doesn't end up coming back to bite them if/when they battle a multi-front war against (formerly friendly) researchers, organized crime, nation states, and other APT related threats.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?