ThreatList: Virtualization-related Bug Reports Jump 275 Percent in 2018

The Zero Day Initiative said that the number of bugs reported in 2018 is on track to trump its previous busiest year, 2017.

Zero Day Initiative said Monday that so far in 2018, it has published 600 advisories – up 33 percent from the 451 published in 2017, which was previously its “busiest year ever.”

“Interestingly, we had fewer advisories released as 0-day this year,” the company said in its mid-year report on advisories. “The first six months of 2018 saw only 23 advisories exceed our coordination timelines as opposed to 49 last year – a decrease of 42%. That means we successfully coordinated 577 bug reports with the vendor to release alongside a security patch or other mitigation.”

Here are some of the biggest bug report trends in 2018, so far:

  • SCADA bugs are continually on the rise, with those types of bugs accounting for more than 30 percent of submissions to the program. ZDI said that bugs were reported in Delta Industrial and Omron products,  but Advantech ultimately rose to the number one spot on the bug reports list.
  • Bugs reported in Microsoft products has jumped up 121 percent year-over-year, with many of these bugs being reported in browsers. “Overall, Microsoft only released 8% more patches in the first half of this year versus the first half of 2017, so the rise in bug reports to the program shows program growth rather than just increased bugs in Microsoft products,” said ZDI.
  • Adobe bugs reported remains consistent, as there were only two more Adobe reports this year over last year.
  • ZDI said it is seeing more bug reports at virtualization software like Oracle VirtualBox this year. Overall, reports on the virtualization product are up 275 percent since last year, the researchers said.
  • ZDI said that it sees continued growth in vulnerability research – and also an increase in the potential bugs reported: “It’s impossible to predict how the rest of 2018 will go, but if we use 2017 as a guide, it will be even busier,” it said in its report.

According to the Zero Day Initiative, here is the breakdown of vendors for published advisories from January through June of 2018:

(ThreatList is an occasional overview of InfoSec landscape as represented in at-a-glance lists of relevant data.)

Suggested articles