As the calendar year draws to a close we want to take the opportunity to disseminate some of the data that the Zero Day Initiative (ZDI) has acquired through the vulnerability purchasing program, reflect upon the state of (coordinated) disclosure and highlight some of the upcoming endeavors the team will be involved in. 2011 has been another record breaking year for the program with 350 researcher advisories and 14 internal advisories published thus far. 2012 promises to be another busy year for ZDI as the team has more than 160 upcoming advisories in the queue already.
The vulnerability purchasing program has netted some impressive results this year and enabled our Digital Vaccine team to provide a great deal of 0-day coverage to our customers. Because of our position as the premiere vulnerability-acquisition program we are often asked to provide an analysis of the state of the vulnerability landscape or to comment on the efficacy of the software industry's security response process; in so doing, it is important to consider the source for the ZDI dataset when we look at these topics. Our stated goals include providing a quality active protection system for our IPS customer base and a responsible methodology for assisting software development teams identify and patch security vulnerabilities in their products. These goals govern every decision we make when it comes to the vulnerabilities that we purchase; we have an obligation to protect the enterprise market, our core customer base; this is quite obviously reflected in the "affected product(s)" section of our advisories. Take, for example, our top ten affected vendors in 2011:
- Adobe
- Apple
- EMC
- HP
- IBM
- Microsoft
- Novell
- Oracle
- RealNetworks
- Symantec
Vulnerabilities in these vendor's products represent 81% of the published and upcoming advisories from the 2011 ZDI queue. The distribution of vendors in our vulnerability acquisition program is consistent with their position in the enterprise space.
Our 180-day disclosure policy has been a driving force in helping ZDI to produce record numbers of advisories throughout the past year and, in our eyes, improve the overall state of software security. As a result of our announcement of the 180-day deadline last August we have dropped 29 advisories as 0-day, in affected vendors such as Cisco, HP, IBM and Microsoft. The response from vendors has been positive and they continue to work with the ZDI analysts to address the issues reported within a reasonable time-frame. That process can sometimes cause a reported vulnerability to age past the 180-day deadline - which is perfectly acceptable to our end-goal: improving the state of security vulnerability reporting and management.
One of the more interesting trends to come out of the 2011 data is the rise of SCADA/Industrial Control Systems vulnerabilities. This was the first year in the history of the program that ZDI published advisories for software in the industrial controls industry. The six published and upcoming advisories affected some of the industry's major vendors, including GE, Honeywell and InduSoft. We expect to see SCADA/Industrial Control Systems vulnerabilities continue to be represented in the ZDI advisories for 2012 and are pleased to have a great working relationship with the Department of Homeland Security's Industrial Control Systems CERT team.
As in previous years, web-browser bugs played a major role in the ZDI program. Roughly 10% of the published and upcoming advisories affect one of the three major web browsers (WebKit, Firefox, Internet Explorer). The numbers also include six vulnerabilities revealed during our 2011 Pwn2Own contest at CanSecWest (Internet Explorer 3, WebKit 2, Safari 1).
Speaking of Pwn2Own, look for big changes to the contest for 2012 - we're stepping up the stakes and, we'd like to think, the excitement surrounding this already attention-grabbing contest. Watch for announcements regarding the format and prizes in the next month or so.
Finally, we have a lot of projects in the pipeline which leverage the recent consolidation of security research under the HP Enterprise Security umbrella. This includes continued collaboration with our colleagues at HP Fortify and ArcSight in data-, resource- and mind-sharing. Expect big announcements on this front over the next year, as well.
