4 Trends In Vulnerabilities That Will Continue In 2014
Dar Reading, Robert Lemos
1. More pay for researchers
Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest.
2. Exploiting the guards
Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.
"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," says Gorenc.
The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies who supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.
3. Embedded devices mean flaws live longer
From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.
A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.
"Any time you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."
4. Libraries under attack
Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug and play library, LibPNP, continued to be widespread.
"Library bugs tend to stick around for awhile because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.
Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multi-year tail on those issues," he says.