Zero Day Report
A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES
The Zero Day Report — sponsored by Digital Defense — provides zero day vulnerability trends, statistics, best practices, and resources for chief information security officers (CISOs) and IT security teams.
ZERO DAY EXPLOITS
Bad code and Black Hats will boost zero-day attacks in 2017
Menlo Park, Calif. – Jan. 3, 2017
An ever-increasing amount of new code and a robust underworld economy will be stoking the market in 2017 for zero-day vulnerabilities.
Although strides are being made to produce more secure code through the use of automation and better tools, the sheer volume of code being produced is enormous. And it’s only going to grow exponentially to meet the thirst for software for web applications, mobile hardware and devices connected to the Internet of Things.
“The application attack surface is growing by 111 billion new lines of software code every year,” explains Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures. He predicts that newly reported zero-day exploits will rise from one-per-week in 2015 to one-per-day by 2021.
In the more immediate future, more zero-day flaws will be found in commercial software produced by companies like Adobe and Apple. According to the Zero Day Initiative, 135 vulnerabilities were discovered in Adobe products during the first 11 months of 2016 and 76 in Microsoft products. Meanwhile, the number of zero-day flaws in Apple products doubled over the previous year, to 50 from 25. “We predict that more software flaws will be discovered in Adobe and Apple products in addition to Microsoft’s,” Trend Micro notes in its security predictions for 2017.
Those Adobe flaws will likely make their way into exploit kits, where less skilled hackers can tap into their power. No longer will a threat agent need the kind of specialized skill set found in nation-states and criminal organizations to take full advantage of zero-day flaws. “The rise of this kind of advanced, yet easy-to-use malware means we will begin to see significant attacks from a much broader range of attackers,” Tom Corn, senior vice president of security products at VMware, writes in a prediction piece for 2017.
The sheer volume of code being produced isn’t the only contributor to zero-day vulnerability growth as developers these days are using more and more open source code. In the average commercial application, 30 percent of the code is open source, according to Black Duck, an IBM information security company, although that number can be even higher for in-house apps. And Gartner predicts that by the end of this year, there will be open source code in 99 percent of the mission-critical apps of the Global 2000.
That widespread use of open source code can be problematic from a security standpoint. A block of code can be a component in software written for many kinds of devices so a zero-day flaw found in such a component can be multiplied many times. “You’ll typically see a slew of vulnerabilities come out on all sorts of appliances and platforms,” says Mike Cotton, vice president of research and development at Digital Defense, a provider of information security assessment solutions.
What’s more, tools created to allow developers to cope with the demands to get applications to market faster than ever for a diverse number of devices has made discovery of zero-day and other types of vulnerabilities easier for hackers. For example, software can be run on a “virtual” version of a hardware device without the need to buy the device itself. “That shrinks the cost for an attacker to examine and exploit these platforms,” Cotton explains.
Discovery of zero-day vulnerabilities in the coming year will also be fueled by market forces. When the demand for a commodity increases in a market, so does its sale value, and that will be the case with zero-day flaws.
More and more companies are turning to bug bounty programs to find critical flaws in their software. White Hat hackers participating in such programs — which often pay a premium for zero-day vuls — have been steadily getting more money for the bugs they find. Over the last 12 months alone, bug rewards have increased 47 percent, according to Bug Bounty, a platform for bounty hunters. Not only are such programs growing — since 2013, they’ve grown 213 percent on the Bug Bounty platform alone — but much of that growth is happening in the enterprise.
Bug hunters for legitimate sources, though, aren’t compensated anywhere near what Black Hats are for a zero-day vulnerabilities on the black market where they can fetch up to $10,000 for a remote control execution flaw in Microsoft Word or Excel to $1.5 million for an Apple iOS 10 remote jailbreak.
While growing discovery of zero-day flaws threaten to overwhelm system defenders, efforts are being made to counter the damage those flaws can do through automation. A leader in those efforts is DARPA — the U.S. Defense Advanced Research Projects Agency — which demonstrated in August the future of zero day combat during its Cyber Grand Challenge. The Challenge allowd seven teams from all over the world to show how their automated solutions could not only find bugs in software but write secure code to replace the buggy programming.
“There’s a saying in the hacker community that ‘zero day can happen to anybody,’” DARPA CGC Program Manager Mike Walker said at the end of the competition. “What that means is that unknown flaws in software are a universal lock-pick for intruders.”
“Tonight we showed that machines can exist that can detect those lock-picks and respond immediately,” he continued. “We have redefined what is possible, and we did it in the course of hours with autonomous systems that we challenged the world to build.”
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.