Microsoft-related bug reports up 121%, virtualization software bugs up 275%

Zero Day Initiative (ZDI) has already paid out more than $1 million to researchers for their vulnerability reports so far this year. Looking back at the first six months of 2018, ZDI has published a record-breaking 600 advisories; during the same period in 2017, ZDI had published 451. Although 2017 had been its “busiest year ever,” the 33 percent increase in bug reports makes it look like 2018 may shatter the 2017 record.

Despite the fact that reported bugs are on the rise and Trend Micro’s ZDI published more advisories during the first six months of 2018, ZDI has published 42 percent fewer zero-day advisories than it had between January 2017 and June 2017.

Bug trends for Microsoft, Apple, Adobe, SCADA, virtualization software

ZDI pointed out the following as being some of the biggest and most interesting trends it has seen in the first six months of 2018:

Microsoft: There was a whopping 121 percent year-over-year increase in Microsoft-related bugs reported. A good chunk of those were in browsers, “showing how JIT bugs in IE, Edge, and Chakra Core have become the use-after-free (UAF) bugs of 2018.” Considering Microsoft has released only 8 percent more patches than it did in the first half of 2017, ZDI believes the rise in reported bugs “shows program growth rather than just increased bugs in Microsoft products.” ZDI noted that it has another 39 upcoming Microsoft bugs awaiting patches. 

Apple: On the other hand, the number for reported Apple bugs is down 28.5 percent. That, however, is deceptive. ZDI said the lower number of reported Apple bugs “doesn’t take into account how large Pwn2Own was in 2017. If we remove the bugs acquired during Pwn2Own last year and this year, we end up with an increase of 36% year over year. This matches what we’re seeing in our upcoming queue as well, where 30 more Apple bugs await security patches.”  

SCADA: The number of reported SCADA bugs are soaring, accounting for 30 percent of the total bugs submitted to ZDI. Many folks don’t realize that SCADA products are being pitched as IoT controls, meaning it could affect much more than just infrastructure and manufacturing sectors. The bloated number of SCADA bugs as compared to last year was accredited to bugs reported in Advantech, Delta Industrial, and Omron.

ZDI published 132 Advantech security advisories, making up 22 percent of all reported bugs so far this year. The 26 Delta advisories and 22 Omron advisories each made up 4 percent of the total advisories.

Adobe: Between January 2018 and June 2018, there were only two more Adobe bugs reported than in the same time period in 2017. Put another way, ZDI put out 94 Adobe advisories, which accounted for 16 percent compared to 20 percent of Abode advisories for the same time in 2017. The 4 percent decrease was chalked up to the 30 percent increase in reported SCADA bugs.

Virtualization software: Another trend deals with security researchers hunting bugs in virtualization software. The reports of these types of bugs has skyrocketed 275 percent since last year. Between the bug reports in Oracle VirtualBox at Pwn2Own this year and the VMware reports ZDI has been receiving, it shows that “research into the security of these virtualization products is really just getting underway.”

All signs point to continued growth in vulnerability research and an increasing rate of new bugs being reported for the rest of 2018. ZDI noted, “It’s impossible to predict how the rest of 2018 will go, but if we use 2017 as a guide, it will be even busier.”