Risk
12/31/2013
09:15 AM
50%
50%

4 Trends In Vulnerabilities That Will Continue In 2014

Bounty programs will continue to expand, more researchers will focus on embedded devices and libraries, and security software will find itself under more scrutiny

Vulnerabilities are an ever-present problem, but each year the trends in vulnerabilities are somewhat different. In 2013, slightly fewer vulnerabilities were reported than in the previous year, but because of the expansion of bounty programs, more researchers got paid for their research than in previous years.

This coming year, a number of nascent trends will likely become more pronounced. Researchers will have a broader market for their research, and more vulnerability research will be focused on embedded devices, popular libraries, and security software, experts say.

"A lot of the vulnerabilities that came out this year are issues that are not going to go away anytime soon," says HD Moore, chief research officer for vulnerability management firm Rapid7.

In 2014, Microsoft will also bring the end of support for Windows XP, one of the most popular OSes targeted for exploitation. By the time people pay their taxes, Microsoft's support for the venerable operating system -- originally released in October 2001 -- will have ended. That will likely shift the effort that researchers, and attackers, put into finding vulnerabilities, Moore says.

While finding and fixing vulnerabilities are important tasks -- not to mention, preventing vulnerabilities by adding secure programming techniques to development processes -- companies should expect that attackers will find vulnerabilities in the software that they use and take appropriate measures.

"If you are a valuable target, you have to assume that you are already compromised and that you will get compromised again," Stefan Frei, director of research for security-information firm NSS Labs, said in an interview earlier this month.

As 2013, comes to a close, vulnerability experts identified the trends they expect to continue in the coming year.

1. More pay for researchers
Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest. Hewlett-Packard's Zero Day Initiative (ZDI), which pays a modest bounty for vulnerabilities in enterprise software products, has accepted almost 290 vulnerabilities from researchers this year, up from the 203 issues that the company paid for last year.

"We are seeing a steady increase in researchers in our program, especially from the Pac-Asia region, Russia, and the United Kingdom," says Brian Gorenc, manager of vulnerability research for ZDI.

[Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less.]

Google has led software makers in offering a wide variety of bounties for any security issues found in its products. Yet they are not alone: At least 50 vendors offer bounty programs, according to the list maintained by BugCrowd.com.

Microsoft was the biggest addition to the group this year. The company offered rewards to researchers who found vulnerabilities in its beta products and offered a hefty $100,000 for anyone who found exploits that bypassed the defenses the company built into the latest version of Windows. But Microsoft should do more, says Rapid7's Moore.

"They are getting credit for running a bounty program that is not really relevant," Moore says. "The program does not apply to the software that people are actually exploiting; it applies to the software under development."

2. Exploiting the guards
Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle, and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," Gorenc says.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies that supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer
From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

"Anytime you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."

4. Libraries under attack
Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug-and-play library, LibPNP, continued to be widespread.

"Library bugs tend to stick around for a while because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multiyear tail on those issues," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davidneville
50%
50%
davidneville,
User Rank: Apprentice
1/17/2014 | 7:36:52 PM
re: 4 Trends In Vulnerabilities That Will Continue In 2014
Dave Wichers, of OWASP fame, speaks about known vulnerabilities in libraries on Contrast Security's blog http://www1.contrastsecurity.c.... Using out-of-date libraries really is just silly.
DPAMID750
50%
50%
DPAMID750,
User Rank: Apprentice
1/1/2014 | 12:33:03 AM
re: 4 Trends In Vulnerabilities That Will Continue In 2014
RE: More pay for researchers.

It's amazing that researchers even bother with HP, Microsoft, etc, because organized crime, APT, etc, pay A LOT MORE for zero days and unknown vulnerabilities.

Let's just hope the cheapness of executives at HP, Microsoft, etc, doesn't end up coming back to bite them if/when they battle a multi-front war against (formerly friendly) researchers, organized crime, nation states, and other APT related threats.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.