TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

2012: Year in Review

As we sit back and reflect on the year, we wanted to highlight some of the work going on in DVLabs and reveal some of the statistics from what has truly been an interesting year in the Zero Day Initiative program. Our dedicated team of security researchers excelled under adversity during a challenging year, which included the untimely loss of a great friend and colleague Assad Khan.

In 2012, the team was able to release more than 200 researcher advisories and almost 100 upcoming advisories for the 2013 queue. We also released a record number of zero day advisories with the final tally standing at 20. Additionally, we introduced a new spin on the Pwn2Own competition by focusing on vulnerabilities in the mobile attack surface.

Because of ZDI’s position as the premiere vulnerability-acquisition program, we often get to work on some of the most interesting and talked-about vulnerabilities during the year. 2012 was no different. At the beginning of the year, a vulnerability in Microsoft’s Remote Desktop (ZDI-12-044, MS12-020) received extensive attention. It was interesting to watch the security community work together to analyze it. Later in the year, the Samba team quickly patched an issue (CVE-2012-1182) in the code generator, which caused it to create code containing multiple heap overflows.

One of the main goals of our vulnerability purchasing program is to provide our customers with cutting edge zero day protection through the DVLabs Digital Vaccine service. Each acquired submission is thoroughly examined by our analysts for exploitability, detection logic is developed, and guidance is produced to assist vendors in fixing the vulnerability in question. This guidance is delivered at no cost to the vendor and protection is provided to our customers in the form of an IPS filter while the vendor works to develop a patch. In the end, we work in lockstep with vendors to resolve the vulnerabilities affecting their products, which in turn helps secure the entire software ecosystem. Highlighted below are some of the vendors we are fortunate enough to work with, as well as products that we have learned to enjoy analyzing:

Top Five Vendors for 2012
  • Apple
  • EMC
  • HP
  • Microsoft
  • Oracle
Top Five Products for 2012
  • Apple QuickTime
  • EMC AutoStart
  • Microsoft Internet Explorer
  • Oracle Java
  • RealNetworks RealPlayer
In 2012, the most popular vendor targeted by our researchers was Microsoft with over 100 submissions. We have also seen the quality of the submissions from our researchers improve over the year and an increased number of new researchers with quality reports. The influx of cases resulted in a very busy November and December for Zero Day Initiative. In those two months alone, our program reported more than 30 critical vulnerabilities in Oracle and Microsoft’s flagship products. Our researchers also continued to take advantage of the bonuses offered in our benefits program, with an increased number reaching the Platinum level in 2012.

It was an exciting year in the Pwn2Own competition. At CanSecWest in Vancouver BC, we hosted Pwn2Own where VUPEN won 1st place by demonstrating two zero day vulnerabilities: one for Internet Explorer and another in Chrome. Vincenzo Iozzo and Willem Pinckaers won 2nd place by demonstrating a zero day vulnerability in Firefox.

At EUSecWest in Amsterdam, we shifted focus to the mobile device attack surface and launched Mobile Pwn2Own. This competition offered prize money for vulnerabilities in the mobile web browser, mobile operating system, Near Field Communication (NFC), Short Message Service (SMS) and cellular baseband. Apple’s iPhone 4S was the first device to fall with a browser vulnerability demonstrated by Joost Pol and Daan Keuper from Certified Secure. The Samsung Galaxy SIII fell a short time later to a vulnerability in a document parser. This was demonstrated by Tyrone Erasmus, Jacques Louw, Jon Butler, and Nils from MWR Labs. Congratulations, once more, to the winners, and watch for details of our upcoming competition where we’ll be bringing close to half a million dollars in possible prize money!

In 2013 we are focusing our efforts on securing critical software being used by our customer base and the greater computing community. We have increased the bounties to researchers who submit superior vulnerability reports in critical software, and will be helping our newer researchers expand their skill sets and contribute quality vulnerability reports. We look forward to your submissions!

Tags:
Published On: 2013-01-08 15:25:24

Comments post a comment

No comments.
Trackback