Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

08:08 PM

The End Of Vulnerabilities?

On a global scale, bugs are never going away, but in specific products, early evidence reveals that companies are having success in weeding out flaws

Less than a decade ago, software programs were a landscape full of unintended bounty. Security researchers could analyze portions of programs, quickly find flaws, and readily exploit them.

Yet times have changed, at least for the most popular programs. Led by Microsoft, software developers have applied secure programming methods to weed out the easy-to-find flaws. And software hardening techniques, such as address space layout randomization (ASLR) and data execution protection (DEP), have made exploitation of vulnerabilities much more difficult.

Is it possible that exploitable vulnerabilities in the most popular programs may become a rarity? The recent controversy at the Pwn2Own competition at the CanSecWest Conference in Vancouver, B.C., underscored that some types of exploitable vulnerabilities have become rare enough to be quite valuable to their finders. At the heart of the controversy was a class of exploits that allows an attack to "escape" the digital sandbox that protects an operating system from attacks through an application.

Such vulnerability information is just too valuable to give away, says Chaouki Bekrar, CEO and head of research for VUPEN, a security firm and maker of attack tools. Initially, Google sponsored the competition but required that all contestants reveal the techniques used so that affected software vendors could fix the flaws. VUPEN refused to participate in Pwn2Own unless it could keep some of its methods and exploits a secret. When the organizers agreed, Google pulled out of its sponsorships and created a second contest, Pwnium.

"Sandbox escapes are rare and very hard to find," Bekrar says. "Thus, we need to keep it alive as it is useful for our customers."

While software bugs are never going to go away, they have fallen by a third since industry-wide application vulnerabilities peaked in 2006, according to data presented in the latest Microsoft Security Intelligence Report. Most important, almost all the reduction in reported flaws is in medium- and high-severity vulnerabilities.

Moreover, in specific products there is early evidence that companies are having even more success weeding out flaws and making them harder to exploit. Vulnerability submissions, for example, have dropped for the Chrome browser, says Chris Evans, a security engineer with Google, leading the company to offer heftier bounties to the researchers that do report bugs.

"We are seeing evidence that these are harder to find, in that the rates of bug submissions have dropped off," Evans says. "One reasonable assumption is that they are becoming harder to find."

Adobe has seen a similar declines -- after initial spikes -- in the reporting of vulnerabilities in its Acrobat and Flash products. Compared to the year before, only half as many bugs were reported in the Flash player in 2011, and a third as many in Acrobat.

"Vulnerability finders got really busy in 2009, and 2010 was busier," Brad Arkin, senior director of security for Adobe, said in a December interview. "And then in 2011, we saw things take are real dip."

Microsoft noted that its products' share of overall vulnerability reports has stayed relatively constant over the years, that share dropped to 6.9 percent in the first half of 2011, down from 8.2 percent in the second half of 2010. Moreover, the number of critical vulnerabilities reported in its products is at the lowest level ever.

Ever since the company kicked off its Trustworthy Computing Initiative in January 2002, the company has rooted out vulnerabilities in its software, improving its development process and making its operating systems and applications harder to exploit. The global data suggests that Microsoft is not the only company that has benefited from its focus on secure development.

Vulnerability researchers are by no means close to being put out of their jobs. And while companies' focus on eliminating software bugs appears to be paying dividends, it may be the anti-exploitation measures that have the greatest payoff, VUPEN's Bekrar says.

"Discovering vulnerabilities is less difficult than exploiting them, as there are many ways to automate vulnerability discovery, such as fuzzing and code auditing, but exploitation must be achieved by hand using reverse engineering and analysis," he says.

Of course, an alternative explanation does exist. With exploits and exploitable vulnerabilities becoming more rare, and governments increasingly focused on developing cyberoffense capabilities, researchers may just not be reporting their finds. Instead, they may be selling them.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
nikata che
nikata che,
User Rank: Apprentice
3/16/2012 | 7:47:18 AM
re: The End Of Vulnerabilities?
The bugs are always there, no matter which application you use. Browsers for example, there are always some bugs in whichever version of a browser, the key lies in whether you find it or not.I use Avant browse Although I didn't find any problem when using it, but in the changelog og the new version, there are bugs be fixed. I also use chrome and firefox, you will find the more you use a browser, the more bugs you will find.Javascript error ,crash etc.
User Rank: Apprentice
3/16/2012 | 1:52:59 AM
re: The End Of Vulnerabilities?
Im not sure that I actually agree with this, although I wish that it were the case....as Im not seeing this from a great deal of major fortune 500 customers etc. I think there is simply enough work in the security market and not enough security folks...Also some of these vulnerability tools are starting to add intelligence where-in they may automatically generate attack vectors...so for general endpoint exploits, firmware, kernels, even at the web server stack that maybe accurate, but at the application layer that maybe a little different...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.