Checking In: A Look Back at the First Half of 2018

It hardly seems possible, but we’re already halfway through 2018. Now is a good time to look back on the last six months to see where the Zero Day Initiative program stands and how that compares to the first half of 2017. Last year was our busiest year ever, but it turns out that 2018 has been a year of constant growth.

Growth in the research community

To start, more than 500 new researchers have registered to participate in the program just this year. It’s always exciting to see new research come in, especially from far-reaching places. We have bug submissions from six continents now, but we’re hopeful our penguin outreach strategy can turn that into seven. In total, more than 3,500 people are registered participants from around the globe. In the first six months of the year, they’ve earned more than $1,000,000 USD for their vulnerability reports.    

Our research team has grown as well. The increased level of submissions means we need more ZDI security researchers to review and validate the bugs. Our intern from 2017 has become the latest ZDI security researcher. He now sits next to our 2018 intern. To help ensure the pipeline of talented researchers continues, we’ve started to include university visits in our travel schedule, including Boğaziçi University in Istanbul, Turkey. All indications point to a new crop of researchers bringing their unique talents and energy to vulnerability and exploit hunting.

Regardless of whether they were new or had been at this a while, researchers have had a busy start to 2018.

Bugs on the rise

For the first half of this calendar year, we have published 600 advisories compared to 451 during the same time span in 2017. That’s a 33% increase over what had been our busiest year ever. It also puts us on pace for between 1,200-1,300 total advisories for the year. Interestingly, we had fewer advisories released as 0-day this year. The first six months of 2018 saw only 23 advisories exceed our coordination timelines as opposed to 49 last year – a decrease of 42%. That means we successfully coordinated 577 bug reports with the vendor to release alongside a security patch or other mitigation.

Here’s the breakdown of vendors for our published advisories for January through June of 2018: 

To put that in perspective, here’s the distribution for the same time period in 2017:

The comparison shows a couple of interesting trends.

- SCADA bugs continue to soar. In 2017, we saw 21 bugs in Schneider Electric, but 2018 trounced their number with Advantech rising to the number one spot on our list. Together with Delta Industrial and Omron, SCADA bugs account for more than 30% of submissions to the program. Think SCADA only affects the infrastructure and manufacturing sectors? Many of these same products are being pitched as IOT controls, too, making their reach much broader than most folks realize.

- Increasing focus on Microsoft – especially in the browser space. Bug reports in Microsoft products increased 121% year-over-year. Many of these bug reports were in browsers, showing how JIT bugs in IE, Edge, and Chakra Core have become the UAF bugs of 2018. Overall, Microsoft only released 8% more patches in the first half of this year versus the first half of 2017, so the rise in bug reports to the program shows program growth rather than just increased bugs in Microsoft products. We still have 39 upcoming Microsoft bugs, so this pace is likely to continue.  

- Apple numbers are deceptive. At first glance, it looks like Apple reports are down 28.5% this year. However, that doesn’t take into account how large Pwn2Own was in 2017. If we remove the bugs acquired during Pwn2Own last year and this year, we end up with an increase of 36% year-over-year. This matches what we’re seeing in our upcoming queue as well, where 30 more Apple bugs await security patches.

- Adobe volume remains consistent. There were just two more Adobe bug reports this year over last year. Interestingly, the overall percentage of Adobe reports decreased by 4%. This is due to the increase in SCADA submissions (see above) and the rise of bug reports in the Foxit Reader. It turns out the Acrobat alternative has its own security issues with PDF files.

- Bug reports in Trend Micro products are down 44% over last year. Once ZDI was acquired by Trend Micro, we expected (and received) bug reports related to Trend Micro products. Efforts made by Trend Micro’s sustained engineering teams have improved the security of these product, which resulted in the decrease of new reports.

- Emergence of bugs in virtualization software. We started seeing bug reports in Oracle VirtualBox at Pwn2Own this year, and that trend has continued as reports on the virtualization product are up 275% since last year. This goes along with the VMware reports we’ve been receiving since last year’s contest, showing research into the security of these virtualization products is really just getting underway.

It’s also important to remember that most of these bugs become IPS filters. In fact, nearly one-third of accepted submissions become protections for Trend Micro customers. These filters offer protections an average of 72 days before a patch is available, and once the patch is available, they offer protections until you get the patch installed. While some may think we only buy bug reports that can be filtered, that’s not always the case. We buy bugs that are worthwhile and impactful. To get a better understanding of what we’re looking for in submissions, check out this blog from Shannon Sabens, our Program Manager

Looking ahead

All indications point to a continued growth in vulnerability research. While there remains some uncertainty due to existing and proposed legislation in multiple regions, new bugs keep coming into the program at an ever-increasing rate. It’s impossible to predict how the rest of 2018 will go, but if we use 2017 as a guide, it will be even busier. In the coming months, we’ll be hosting another Mobile Pwn2Own competition, and later this month, we’ll have a major new addition to the ZDI program. We’re also scheduled to be at conferences in the U.S., Canada, Europe, Africa, South America, and Asia. We hope to see you out there. Until then, stay safe, stay tuned to this blog, and follow us on Twitter for the latest updates from the ZDI.