The Zero Day Initiative (ZDI) awarded over $1.5 million in cash and prizes to bug hunters across 2019. A total of 1,035 security vulnerability advisories in all were made in throughout the year.
Some 88% of those advisories were published alongside a patch from the vendor of the affected program, according to ZDI. Only 127 advisories were not published with an accompanying patch.
The Year 2019 Saw a Spike in Critical Vulnerability Flaws
Notable achievements from 2019 included Pwn2Own Vancouver – a hacking contest – including an automotive category. As far as the vulnerabilities themselves are concerned, there was a notable increase in the abuse of Windows user account control hacks, the Samsung headset being exploited via baseband, and more. ZDI compiled all of the information and findings into a blog post published on Thursday.
In terms of trends, there was a major shift towards reports for high-severity flaws in 2019. In the past, most of these advisories would be for small-to-medium-severity bugs. There were 98 critical alerts, 583 high-severity alerts, and 167 medium-severity alerts in all. This is much different from the 262 critical, 211 high-severity, and 867 medium-severity bugs from 2018.
The number of low-severity warnings has been increasing year over year, with 191 in 2019 compared to 103 in 2018.
In what is likely a surprise to no one, Microsoft topped the charts in terms of advisories, with 190 disclosures attributed to the company.
In the past, most Microsoft bugs were related to browsers. While that’s still true, there’s also been an increase in the number of bugs that are able to affect the operating system. There was a particular increase in bugs that affected front parsing, for example. The JET database engine also saw a lot of interest from researchers this year.
Adobe came just behind Microsoft with 166 advisories. The company has always been something of a bug magnet thanks to the vulnerabilities associated with Flash. This changed a little in 2019 with two-out-of-three Adobe bugs being related to Acrobat and Reader. There were some Flash bugs of course, but there were more bugs related to Photoshop (five times more) than were related to Flash.
Nearly a Third of Security Advisories Were for Industrial Control Systems
Another interesting tidbit from the findings is that over 30% of the published advisories affected industrial control systems (ICS) from vendors including Rockwell Automation and Delta Industrial. This is a major increase over 2018 and it’s expected that the number could increase even more in 2020.
The most common vulnerabilities discovered in 2019 were out-of-bounds (OOB) read flaws. Use-after-free (UAB) bugs came in second, and OOB writes were third. The top five was rounded out by stack-based buffer overflows and heap-based overflows.
Around 6% of bounties were paid out for “improper neutralization of special elements used in an expression language statement” bugs. These “expression language injection” bugs are server-side code injection vulnerabilities that allow for an attacker to compromise all of the data and functionality of an application. They also generally allow for attacks to gain access to the server hosting the application as well.
ZDI noted an increase in deserialization bugs, suggesting that the trend is likely to develop further in 2020. They do believe that levels of deserialization won’t reach that of OOB reads though.
It’s likely that the advisories coming in from 2019 discoveries will continue to increase for a little time yet. ZDI regularly receives notifications early in the year over bugs discovered late in the previous year. There’s still some time for the number of advisories for 2019 to increase, even a little. The bug-bounty report from ZDI comes hot on the heels of Google announcing that they themselves had paid out some $6.5 million in rewards to bug hunters in 2019.