Zero Day Initiative (ZDI) has already paid researchers over $ 1 million for their vulnerability reports so far this year. Looking back to the first six months of 2018, ZDI published a record 600 reviews; during the same period in 2017, ZDI had released 451. Although 2017 was its “busiest year ever,” the 33% increase in bug reports suggests that 2018 could beat the record of 2017.
Despite the fact that reported bugs are on the rise and Trend Micro’s ZDI posted more reviews in the first six months of 2018, ZDI posted 42% fewer zero-day reviews than between January 2017 and June 2017.
Bug trends for Microsoft, Apple, Adobe, SCADA, virtualization software
ZDI highlighted the following as some of the biggest and most interesting trends it has seen in the first six months of 2018:
Microsoft: There has been a huge 121% year-over-year increase in reported Microsoft-related bugs. A good chunk of that was in browsers, “showing how the JIT bugs in IE, Edge, and Chakra Core became the No Use Bugs (UAF) of 2018.” Considering that Microsoft released only 8% more fixes than in the first half of 2017, ZDI believes that the increase in reported bugs “shows program growth rather than just an increase in bugs in Microsoft products.” ZDI noted that it has 39 other upcoming Microsoft bugs awaiting fixes.
Apple: On the other hand, the number of reported Apple bugs is down 28.5%. This, however, is misleading. ZDI said the lower number of reported Apple bugs “does not take into account the size of Pwn2Own in 2017. If we remove the bugs acquired during Pwn2Own last year and this year, we end up with a 36% increase. from one year to the next. It also matches what we see in our next queue, where another 30 Apple bugs await security fixes.
SCADA: The number of reported SCADA bugs is skyrocketing, accounting for 30 percent of the total bugs submitted to ZDI. Many people don’t realize that SCADA products are touted as IoT controls, which means they could affect far more than just the infrastructure and manufacturing sectors. The inflated number of SCADA bugs compared to last year has been attributed to bugs reported in Advantech, Delta Industrial and Omron.
ZDI has published 132 Advantech Security Advisories, representing 22% of all bugs reported so far this year. The 26 Delta reviews and 22 Omron reviews each accounted for 4% of the total reviews.
Adobe: Between January 2018 and June 2018, there were only two more Adobe bugs reported than during the same period in 2017. In other words, ZDI published 94 Adobe reviews, which represented 16% against 20% of Abode reviews for the same period in 2017. The 4% decrease was attributed to the 30% increase in reported SCADA bugs.
Virtualization software: Another trend is for security researchers looking for bugs in virtualization software. Reports of these types of bugs have skyrocketed 275% since last year. Between the bug reports in Oracle VirtualBox at Pwn2Own this year and the VMware reports that ZDI has received, it shows that “research into the security of these virtualization products is only just beginning.”
All signs point to continued growth in vulnerability research and an increasing rate of new bugs reported for the remainder of 2018. ZDI noted, “It’s impossible to predict how the rest of 2018 will play out, but if we use 2017 as a guide he will be even busier.