The End Of Vulnerabilities?On a global scale, bugs are never going away, but in specific products, early evidence reveals that companies are having success in weeding out flaws
Less than a decade ago, software programs were a landscape full of unintended bounty. Security researchers could analyze portions of programs, quickly find flaws, and readily exploit them.
Yet times have changed, at least for the most popular programs. Led by Microsoft, software developers have applied secure programming methods to weed out the easy-to-find flaws. And software hardening techniques, such as address space layout randomization (ASLR) and data execution protection (DEP), have made exploitation of vulnerabilities much more difficult.
Is it possible that exploitable vulnerabilities in the most popular programs may become a rarity? The recent controversy at the Pwn2Own competition at the CanSecWest Conference in Vancouver, B.C., underscored that some types of exploitable vulnerabilities have become rare enough to be quite valuable to their finders. At the heart of the controversy was a class of exploits that allows an attack to "escape" the digital sandbox that protects an operating system from attacks through an application.
Such vulnerability information is just too valuable to give away, says Chaouki Bekrar, CEO and head of research for VUPEN, a security firm and maker of attack tools. Initially, Google sponsored the competition but required that all contestants reveal the techniques used so that affected software vendors could fix the flaws. VUPEN refused to participate in Pwn2Own unless it could keep some of its methods and exploits a secret. When the organizers agreed, Google pulled out of its sponsorships and created a second contest, Pwnium.
"Sandbox escapes are rare and very hard to find," Bekrar says. "Thus, we need to keep it alive as it is useful for our customers."
While software bugs are never going to go away, they have fallen by a third since industry-wide application vulnerabilities peaked in 2006, according to data presented in the latest Microsoft Security Intelligence Report. Most important, almost all the reduction in reported flaws is in medium- and high-severity vulnerabilities.
Moreover, in specific products there is early evidence that companies are having even more success weeding out flaws and making them harder to exploit. Vulnerability submissions, for example, have dropped for the Chrome browser, says Chris Evans, a security engineer with Google, leading the company to offer heftier bounties to the researchers that do report bugs.
"We are seeing evidence that these are harder to find, in that the rates of bug submissions have dropped off," Evans says. "One reasonable assumption is that they are becoming harder to find."
Adobe has seen a similar declines -- after initial spikes -- in the reporting of vulnerabilities in its Acrobat and Flash products. Compared to the year before, only half as many bugs were reported in the Flash player in 2011, and a third as many in Acrobat.
"Vulnerability finders got really busy in 2009, and 2010 was busier," Brad Arkin, senior director of security for Adobe, said in a December interview. "And then in 2011, we saw things take are real dip."
Microsoft noted that its products' share of overall vulnerability reports has stayed relatively constant over the years, that share dropped to 6.9 percent in the first half of 2011, down from 8.2 percent in the second half of 2010. Moreover, the number of critical vulnerabilities reported in its products is at the lowest level ever.
Ever since the company kicked off its Trustworthy Computing Initiative in January 2002, the company has rooted out vulnerabilities in its software, improving its development process and making its operating systems and applications harder to exploit. The global data suggests that Microsoft is not the only company that has benefited from its focus on secure development.
Vulnerability researchers are by no means close to being put out of their jobs. And while companies' focus on eliminating software bugs appears to be paying dividends, it may be the anti-exploitation measures that have the greatest payoff, VUPEN's Bekrar says.
"Discovering vulnerabilities is less difficult than exploiting them, as there are many ways to automate vulnerability discovery, such as fuzzing and code auditing, but exploitation must be achieved by hand using reverse engineering and analysis," he says.
Of course, an alternative explanation does exist. With exploits and exploitable vulnerabilities becoming more rare, and governments increasingly focused on developing cyberoffense capabilities, researchers may just not be reporting their finds. Instead, they may be selling them.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.