The ZDI 2018 Retrospective

January 17, 2019 | Dustin Childs

At the end of 2016, the ZDI program completed its busiest year ever. This was beat by 2017 with a more than 40% increase in published advisories. When 2018 rolled around, we wondered if that growth would continue or if a plateau was coming. I don’t think anyone predicted another 40% increase, but that’s exactly what happened as we set a record for most advisories published by the program for the fifth year in a row.

We could not have this sustained increase in advisories – and thus better protections for Trend Micro customers – without the contributions from the talented and diverse group of security researchers submitting bug reports to our program. People from around the globe send vulnerability reports to the ZDI, and the quality and volume never disappoints. Our program would not be successful without our worldwide community of researchers, and we thank them for their contributions. Our program also relies on vendors patching the vulnerabilities we report to them, and we thank them for the work they do as well.

By the Numbers

In 2018, the ZDI published 1,444 advisories – 427 more than 2017 and represents a 42% increase in published advisories. Of these published advisories, 158 (nearly 11%) were published as 0-day – a decrease of 1% from last year. That means that 1,286 different issues were successfully coordinated with the vendor to release alongside a patch or other mitigation.

Here’s a breakdown of the vendors ZDI published advisories for in 2018:

Figure 1 - Vendor count of published advisories for 2018

And here’s how that compares to the last few years:

Figure 2 - Vendor count of published advisories - 2015-2018

Before we get to the details, it should be noted these numbers represent what was submitted to the ZDI program only. While it reflects broader trends throughout the industry, these numbers should not be construed as definitive for all vendors or programs. For example, we purchase very few bug reports in Google Chrome, but this doesn’t mean there aren’t bugs in Chrome – it just means most of those bugs get reported directly to Google.

With that said, Foxit and Adobe take the top two spots for advisories published in 2018. This reflects the increased use of PDFs in active exploits as well. While we did purchase some Flash and Photoshop bug reports, 96% of our Adobe advisories were Acrobat or Reader related. We’ve been seeing an increased focus on PDF research over the last few years, so this isn’t much a surprise. 

The next biggest for published advisories was Advantech. When you combine their numbers and add on Wecon, Delta Industrial, Omron, ABB, and others, it turns out that around 25% of our published advisories for 2018 were related to SCADA and industrial control systems (ICS). Clearly, there’s some work to be done in the ICS industry to shore up their code. This segment also struggles with response, as many of these advisories were published as 0-day reports. In fact, 84% of the 0-days we released in 2018 were related to industrial control systems.   

Microsoft is the next biggest vendor with a 30% increase of published advisories year-over-year. Of the 124 Microsoft advisories published by ZDI, 47% were somehow browser related. I say browser related, since this number includes IE, Edge, Chakra Core, and VBScript bugs that act like browser bugs (e.g. visit a web site and get owned). This year also saw the ZDI become the top contributor of bug reports to Microsoft. Security patches from Microsoft in total have risen less than 10%, so it’s good to see more of these reports coming through our program.

Of course, buying bug reports is more meaningful when you are buying impactful bugs. Figure 4 shows the severity distribution of published advisories based on the CVSS scores.

Figure 4 - CVSS Distribution of Published Advisories

Critical- and High-rated bugs make up 33% of bug reports for 2018, with Medium-severity reports making up 60%. There’s definitely an uptick in security research across the board, and these numbers indicate much of those new bugs are in the Medium severity class. Don’t sleep on those Low-severity cases. Many of those provide the info needed to make the Medium and High-severity bugs more reliable.

Predicting Trends

While any predictions are inherently flawed, there are a few trends we can call out. As a program, these are the areas where we are investing our own research time, and we’d love to see your submissions in these topics, as well.

Devices Matter

Pwn2Own Tokyo saw the inclusion of IoT devices, and we recently announced Pwn2Own Vancouver will have an automotive category featuring a Tesla Model 3. As our world becomes more interconnected, security problems in the devices we rely on could end up causing more harm instead of providing convenience. In a similar vein, the SCADA/IIoT industry must no longer de-prioritize security over longevity or ease of use.

Patching Improvements 

Many of the bug reports we purchase are the result of security patches that failed to fully address a problem. Many end users have lost faith in security patches, despite the fact that the best protection against active attack is still having a fully patched system. Vendors need to improve patch quality both from a security and a reliability perspective.

PDF Security

The PDF format continues to be used in active attacks, and there is no apparent end in sight. Considering this document renders on many OSes by many applications, it’s no wonder why it remains an attractive target. Vendors must develop defense-in-depth measures to eliminate classes of vulnerabilities for PDFs to have some acceptable level of safety.

Looking Ahead

If the trend of the last few years continues, we will publish even more advisories in 2019 across a broader range of products.

Figure 5 - Published advisories per year

We’ve already published 30 advisories through the first two weeks of the year, including our first 0day of 2019. Our Pwn2Own contests look to expanding as we constantly add new targets and categories. We also look to enhance our own research this year as we aim to publish more blogs with Proof-of-Concept (PoC) code and exploit demos. We also hope to increase the number of MindShaRE blogs we publish, which provide reverse engineering techniques that can be used by all. In other words, 2019 is shaping up to be a busy year with a ton a great research to come. We hope you come along from the ride. Until then, stay safe, stay tuned to this blog, and follow us on Twitter for the latest updates from the ZDI.