The ZDI 2016 Retrospective

There’s a bit of debate over who actually first said “Never make predictions, especially about the future.” There’s no debate about the sentiment. You usually end up saying something completely forgettable or something that will make you look silly in retrospect. Rather than try to predict trends for 2017, let’s take a look back at some specific numbers and highlights from 2016.

Our Busiest Year – Our Favorite Things

The Zero Day Initiative (ZDI) published 674 advisories during 2016 – eight more than last year. Of these, 54 were published as 0-day. That means that 620 different issues were successfully coordinated with the vendor to release alongside a patch or other mitigation. In all, ZDI paid out almost $2,000,000 USD this year. The information provided to DVLabs generated more than 450 pre-disclosure filters to help protect customers from zero-day threats.

As with previous years, we worked with lots of talented researchers in 2016. Our program would not be successful without our community of researchers, and we thank them for their contributions. Rather than call out the most prolific or try to narrow down what counts as “best”, we did want to highlight a researcher who caught our attention with both the complexity of issues found as well as the breadth of products reported. That researcher is known simply as “kdot” and he is responsible for published advisories in Google Chrome, Adobe Reader, Microsoft PDF Library, and Foxit Reader. In all, kdot was responsible for 30 separate published advisories in 2016. We get excited to see someone who’s growing his skills and managed to find bugs in high profile targets. 

We’d be remiss if we didn’t mention some of the other great researchers who made significant contributions to ZDI in 2016. Another researcher who contributed multiple, high-profile targets would be bee13oy of CloverSec Labs. He contributed to 18 different advisories in product from Microsoft, Adobe, Oracle, and AVG among others. The researcher known as rgod has been a significant contributor to ZDI over the years, and 2016 was no exception. He had 15 published advisories in products including Microsoft, Novell, Dell, and CA. He also has more than 70 cases in the upcoming queue, so we’ll be speaking of him for a while. Speaking of the upcoming advisories, Steven Seeley of Source Incite has over 100 cases waiting for the vendor resolution. This compliments his 20 advisories published in 2016 in Adobe, Foxit, and Microsoft products.

Not every report from these researchers were automatically accepted. In fact, nearly 43% of all submissions were rejected in 2016. Reasons for rejecting a submission vary (see our FAQ), but this rate of rejection is on par with previous years and much better than some other programs have claimed.

Beautiful Bugs Abound

Although we thought about it quite a bit, we couldn’t come to a consensus on our favorite bug of the year (BOTY). Here are a few of the BOTY candidates:

CVE-2016-3382 – This bug was submitted by an anonymous researcher and patched by Microsoft with MS16-118. One of our ZDI analysts referred to it as a “stunning case of type confusion.” It was given an Exploitability Index (XI) rating of 1 – meaning exploitation is likely – for both the latest version of IE and Edge.

CVE-2016-0158 – This bug was submitted by a researcher named lokihardt and patched by MS16-038. This bug also received an XI rating of 1 for Edge. What really set this one apart was the mere six (yes 6) lines of HTML between <script></script> tags needed to cause the UXSS.

CVE-2016-7272 – This bug was submitted by Giwan Go of STEALIEN and patched with MS16-146. Another XI of 1 for all supported versions of Windows, this bug could allow code execution just by opening a new window in Windows Explorer.

CVE-2016-1806 – This bug was used by JungHoon Lee (lokihardt) during this year’s Pwn2Own competition and was patched by Apple’s Security Update 2016-003. While “sudo” is normally considered a safe method to escalate privileges, lokihardt exploited a flaw in the sudo command to move from a Safari exploit to root permissions. Our own researchers detailed this bug (and others) at Black Hat this past year too.

CVE-2016-7857 – This Adobe Flash bug reported by bee13oy of CloverSec Labs was patched in November. It stands out due to it being a race condition in Flash where an attacker can at times control EIP and execute arbitrary code. Superhero puns aside, race conditions are somewhat rare in Flash.

CVE-2016-5161 – This bug in Chrome was reported by a researcher known as 62600BCA031B9EB5CB4A74ADDDD6771E, which is a tad hard to pronounce, and patched by Google in October. A type confusion bug in the browser, what sets this apart was the memorable PoC sent in with the description. Running the code on Chromium without a debugger attached results in an “Aw Snap.”

Vendors in the Spotlight

Our program also relies on vendors patching the vulnerabilities we report to them, and we thank them for the work they do as well.

As with 2015, this past year saw ZDI publish more advisories for Adobe software than any other vendor, with Adobe product counting for 149 of the 674 total advisories. In fact, Adobe products accounted for 22% of published advisories in both 2015 and 2016. This year also continued the trend of issues being reported in Adobe Reader and Acrobat in addition to reports of issues in Flash. This trend will likely continue as more and more browsers prevent Flash from running by default.

Here’s the overall breakdown of vendors ZDI published advisories for in 2016:

After taking 2015 off with no advisories at all, Advantech industrial systems ended up as the #2 most reported vendor with 112 advisories published. That equates to 17% of the published advisories. However, this doesn’t necessarily mean this vendor has a wide surface attack area. All of these cases came in through the same anonymous researcher, meaning the researcher found a specific type of bug prevalent in their systems. Interestingly, this particular researcher didn’t report any bugs in any other vendor this past year.

Microsoft ended up as the #3 vendor this year, but that doesn’t mean they had an easy year. In fact, the folks up in Redmond ended up publishing more security bulletins than in any previous year. They broke the record that they had previously set the year before, a record which stood only one year itself. The biggest change for Microsoft vulnerabilities was the continued targeting of browsers. Although Microsoft touted its new Edge browser as being significantly more secure than Internet Explorer, 64% of Microsoft advisories we published were related to browsers, down slightly from 67.5% in 2015. Clearly, researchers are still finding browser bugs. What has changed significantly is the reduction of browser-related advisories dropping from 95% in 2014. Clearly this reduction was due to advances in the UAF protections introduced silently in 2014. Overall, Microsoft accounted for 11% of published ZDI advisories, down from 17% in 2015.

One truly interesting fact centered on the rise in advisories for Apple products, which made a significant jump this year. While only representing 4% of advisories in 2014 and 2015, Apple products rose to 9% in 2016 with 61 advisories. It will be interesting to see if this trend continues in 2017.

Staying Busy Findings Bugs

Researchers from the ZDI found some bugs of their own during 2016 as well. This is on top of the work they do to triaging submissions to ensure they meet the guidelines of the program. ZDI researchers also must fully document the bug before sending it off to the vendor. Even while the patch is being developed by the vendor, ZDI researchers make themselves available in case the vendor may have any questions about the bug. Of course, the Pwn2Own and Mobile Pwn2Own competitions require a lot of their focus and time too. The set-up, administration, and verification of bugs takes a significant investment of time well beyond the cash payouts.

Despite all of this, 12% of published advisories resulted from the work of ZDI researchers. This research ended up in several conference talks as well. Most notably, ZDI researchers presented at places like Black Hat, DefCon, Ruxcon, and Hushcon. ZDI researchers went around the world attending various conferences and even found time to talk to some university students about research and bug bounties. Even our ridiculous smoking jacket got in on the action with a cameo on an episode of Viceland’s Cyberwar. In other words, it was a pretty busy year for our internal researchers.

Future So Bright…

During 2016, the ZDI program transitioned from HPE to Trend Micro with the sale of TippingPoint. Although some may have had doubts, the program continues to be strong, and this coming year looks to be even better. By the end of the first week of January there will be over 400 upcoming advisories pending public disclosure. 2017 will also be the 10-year anniversary of Pwn2Own – more on that one very soon. Also be on the lookout for new enhancements and improvements to the ZDI program as we further refine what it means to run the world’s largest vendor agnostic bug bounty program. Maybe we’ll even get around to updating our website – it’s our New Year’s resolution. Until then, stay safe, stay tuned to this blog, and follow us on Twitter for the latest updates from the ZDI.