In 2012, the team was able to release more than 200 researcher advisories and almost 100 upcoming advisories for the 2013 queue. We also released a record number of zero day advisories with the final tally standing at 20. Additionally, we introduced a new spin on the Pwn2Own competition by focusing on vulnerabilities in the mobile attack surface.
Because of ZDI’s position as the premiere vulnerability-acquisition program, we often get to work on some of the most interesting and talked-about vulnerabilities during the year. 2012 was no different. At the beginning of the year, a vulnerability in Microsoft’s Remote Desktop (ZDI-12-044, MS12-020) received extensive attention. It was interesting to watch the security community work together to analyze it. Later in the year, the Samba team quickly patched an issue (CVE-2012-1182) in the code generator, which caused it to create code containing multiple heap overflows.
One of the main goals of our vulnerability purchasing program is to provide our customers with cutting edge zero day protection through the DVLabs Digital Vaccine service. Each acquired submission is thoroughly examined by our analysts for exploitability, detection logic is developed, and guidance is produced to assist vendors in fixing the vulnerability in question. This guidance is delivered at no cost to the vendor and protection is provided to our customers in the form of an IPS filter while the vendor works to develop a patch. In the end, we work in lockstep with vendors to resolve the vulnerabilities affecting their products, which in turn helps secure the entire software ecosystem. Highlighted below are some of the vendors we are fortunate enough to work with, as well as products that we have learned to enjoy analyzing:
Top Five Vendors for 2012
- Apple QuickTime
- EMC AutoStart
- Microsoft Internet Explorer
- Oracle Java
- RealNetworks RealPlayer
It was an exciting year in the Pwn2Own competition. At CanSecWest in Vancouver BC, we hosted Pwn2Own where VUPEN won 1st place by demonstrating two zero day vulnerabilities: one for Internet Explorer and another in Chrome. Vincenzo Iozzo and Willem Pinckaers won 2nd place by demonstrating a zero day vulnerability in Firefox.
At EUSecWest in Amsterdam, we shifted focus to the mobile device attack surface and launched Mobile Pwn2Own. This competition offered prize money for vulnerabilities in the mobile web browser, mobile operating system, Near Field Communication (NFC), Short Message Service (SMS) and cellular baseband. Apple’s iPhone 4S was the first device to fall with a browser vulnerability demonstrated by Joost Pol and Daan Keuper from Certified Secure. The Samsung Galaxy SIII fell a short time later to a vulnerability in a document parser. This was demonstrated by Tyrone Erasmus, Jacques Louw, Jon Butler, and Nils from MWR Labs. Congratulations, once more, to the winners, and watch for details of our upcoming competition where we’ll be bringing close to half a million dollars in possible prize money!
In 2013 we are focusing our efforts on securing critical software being used by our customer base and the greater computing community. We have increased the bounties to researchers who submit superior vulnerability reports in critical software, and will be helping our newer researchers expand their skill sets and contribute quality vulnerability reports. We look forward to your submissions!