Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/15/2012
08:08 PM
50%
50%

The End Of Vulnerabilities?

On a global scale, bugs are never going away, but in specific products, early evidence reveals that companies are having success in weeding out flaws

Less than a decade ago, software programs were a landscape full of unintended bounty. Security researchers could analyze portions of programs, quickly find flaws, and readily exploit them.

Yet times have changed, at least for the most popular programs. Led by Microsoft, software developers have applied secure programming methods to weed out the easy-to-find flaws. And software hardening techniques, such as address space layout randomization (ASLR) and data execution protection (DEP), have made exploitation of vulnerabilities much more difficult.

Is it possible that exploitable vulnerabilities in the most popular programs may become a rarity? The recent controversy at the Pwn2Own competition at the CanSecWest Conference in Vancouver, B.C., underscored that some types of exploitable vulnerabilities have become rare enough to be quite valuable to their finders. At the heart of the controversy was a class of exploits that allows an attack to "escape" the digital sandbox that protects an operating system from attacks through an application.

Such vulnerability information is just too valuable to give away, says Chaouki Bekrar, CEO and head of research for VUPEN, a security firm and maker of attack tools. Initially, Google sponsored the competition but required that all contestants reveal the techniques used so that affected software vendors could fix the flaws. VUPEN refused to participate in Pwn2Own unless it could keep some of its methods and exploits a secret. When the organizers agreed, Google pulled out of its sponsorships and created a second contest, Pwnium.

"Sandbox escapes are rare and very hard to find," Bekrar says. "Thus, we need to keep it alive as it is useful for our customers."

While software bugs are never going to go away, they have fallen by a third since industry-wide application vulnerabilities peaked in 2006, according to data presented in the latest Microsoft Security Intelligence Report. Most important, almost all the reduction in reported flaws is in medium- and high-severity vulnerabilities.

Moreover, in specific products there is early evidence that companies are having even more success weeding out flaws and making them harder to exploit. Vulnerability submissions, for example, have dropped for the Chrome browser, says Chris Evans, a security engineer with Google, leading the company to offer heftier bounties to the researchers that do report bugs.

"We are seeing evidence that these are harder to find, in that the rates of bug submissions have dropped off," Evans says. "One reasonable assumption is that they are becoming harder to find."

Adobe has seen a similar declines -- after initial spikes -- in the reporting of vulnerabilities in its Acrobat and Flash products. Compared to the year before, only half as many bugs were reported in the Flash player in 2011, and a third as many in Acrobat.

"Vulnerability finders got really busy in 2009, and 2010 was busier," Brad Arkin, senior director of security for Adobe, said in a December interview. "And then in 2011, we saw things take are real dip."

Microsoft noted that its products' share of overall vulnerability reports has stayed relatively constant over the years, that share dropped to 6.9 percent in the first half of 2011, down from 8.2 percent in the second half of 2010. Moreover, the number of critical vulnerabilities reported in its products is at the lowest level ever.

Ever since the company kicked off its Trustworthy Computing Initiative in January 2002, the company has rooted out vulnerabilities in its software, improving its development process and making its operating systems and applications harder to exploit. The global data suggests that Microsoft is not the only company that has benefited from its focus on secure development.

Vulnerability researchers are by no means close to being put out of their jobs. And while companies' focus on eliminating software bugs appears to be paying dividends, it may be the anti-exploitation measures that have the greatest payoff, VUPEN's Bekrar says.

"Discovering vulnerabilities is less difficult than exploiting them, as there are many ways to automate vulnerability discovery, such as fuzzing and code auditing, but exploitation must be achieved by hand using reverse engineering and analysis," he says.

Of course, an alternative explanation does exist. With exploits and exploitable vulnerabilities becoming more rare, and governments increasingly focused on developing cyberoffense capabilities, researchers may just not be reporting their finds. Instead, they may be selling them.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nikata che
50%
50%
nikata che,
User Rank: Apprentice
3/16/2012 | 7:47:18 AM
re: The End Of Vulnerabilities?
The bugs are always there, no matter which application you use. Browsers for example, there are always some bugs in whichever version of a browser, the key lies in whether you find it or not.I use Avant browse Although I didn't find any problem when using it, but in the changelog og the new version, there are bugs be fixed. I also use chrome and firefox, you will find the more you use a browser, the more bugs you will find.Javascript error ,crash etc.
sectorx
50%
50%
sectorx,
User Rank: Apprentice
3/16/2012 | 1:52:59 AM
re: The End Of Vulnerabilities?
Im not sure that I actually agree with this, although I wish that it were the case....as Im not seeing this from a great deal of major fortune 500 customers etc. I think there is simply enough work in the security market and not enough security folks...Also some of these vulnerability tools are starting to add intelligence where-in they may automatically generate attack vectors...so for general endpoint exploits, firmware, kernels, even at the web server stack that maybe accurate, but at the application layer that maybe a little different...
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.