Bounty programs will continue to expand, more researchers will focus on embedded devices and libraries, and security software will find itself under more scrutiny

5 Min Read

Vulnerabilities are an ever-present problem, but each year the trends in vulnerabilities are somewhat different. In 2013, slightly fewer vulnerabilities were reported than in the previous year, but because of the expansion of bounty programs, more researchers got paid for their research than in previous years.

This coming year, a number of nascent trends will likely become more pronounced. Researchers will have a broader market for their research, and more vulnerability research will be focused on embedded devices, popular libraries, and security software, experts say.

"A lot of the vulnerabilities that came out this year are issues that are not going to go away anytime soon," says HD Moore, chief research officer for vulnerability management firm Rapid7.

In 2014, Microsoft will also bring the end of support for Windows XP, one of the most popular OSes targeted for exploitation. By the time people pay their taxes, Microsoft's support for the venerable operating system -- originally released in October 2001 -- will have ended. That will likely shift the effort that researchers, and attackers, put into finding vulnerabilities, Moore says.

While finding and fixing vulnerabilities are important tasks -- not to mention, preventing vulnerabilities by adding secure programming techniques to development processes -- companies should expect that attackers will find vulnerabilities in the software that they use and take appropriate measures.

"If you are a valuable target, you have to assume that you are already compromised and that you will get compromised again," Stefan Frei, director of research for security-information firm NSS Labs, said in an interview earlier this month.

As 2013, comes to a close, vulnerability experts identified the trends they expect to continue in the coming year.

1. More pay for researchers
Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest. Hewlett-Packard's Zero Day Initiative (ZDI), which pays a modest bounty for vulnerabilities in enterprise software products, has accepted almost 290 vulnerabilities from researchers this year, up from the 203 issues that the company paid for last year.

"We are seeing a steady increase in researchers in our program, especially from the Pac-Asia region, Russia, and the United Kingdom," says Brian Gorenc, manager of vulnerability research for ZDI.

[Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less.]

Google has led software makers in offering a wide variety of bounties for any security issues found in its products. Yet they are not alone: At least 50 vendors offer bounty programs, according to the list maintained by BugCrowd.com.

Microsoft was the biggest addition to the group this year. The company offered rewards to researchers who found vulnerabilities in its beta products and offered a hefty $100,000 for anyone who found exploits that bypassed the defenses the company built into the latest version of Windows. But Microsoft should do more, says Rapid7's Moore.

"They are getting credit for running a bounty program that is not really relevant," Moore says. "The program does not apply to the software that people are actually exploiting; it applies to the software under development."

2. Exploiting the guards
Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle, and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," Gorenc says.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies that supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer
From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

"Anytime you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."

4. Libraries under attack
Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug-and-play library, LibPNP, continued to be widespread.

"Library bugs tend to stick around for a while because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multiyear tail on those issues," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights