Trend Micro ZDI crosses 1000 vulnerabilities in first six months for coordinated disclosure

Trend Micro announced Wednesday that its Zero Day Initiative (ZDI) program has published advisories addressing over 1000 unique vulnerabilities in the first half of this year, largely highlighting the company’s commitment to coordinated disclosure. The announcement at the ongoing Black Hat USA 2023 conference highlights the potential real-world impact of weaponizing these vulnerabilities, which could result in time and financial losses exceeding ten times the cost of prevention.

During a session at the event, Trend Research representatives revealed that silent patching has become particularly common among cloud providers. They added that companies are more frequently refraining from assigning a Common Vulnerabilities and Exposures (CVE) ID for public documentation and are instead privately issuing patches.

Trend Micro disclosed that the lack of transparency or version numbers for cloud services hinders risk assessment and deprives the wider security community of valuable information for enhancing overall ecosystem security. 

The Tokyo-based company also called for an end to silent patching – the practice of slowing or diluting public disclosure and documentation of vulnerabilities and patches. It is a major roadblock to fighting cybercrime but is all too common among major vendors and cloud providers.

“Our proactive investment of millions each year into vulnerability research and purchases saves billions in recovery for both our customers and the industry as a whole,” Kevin Simzer, COO at Trend, said in a media statement. “A concerning trend is being documented of companies lacking transparency around vulnerability disclosure vendor patching, which pose a threat to the security of the digital world.”

Showcasing its commitment to transparent vulnerability patching, Trend’s ZDI issued advisories on several zero-day vulnerabilities, including ZDI-CAN-20784 Github (CVSS 9.9) and ZDI-CAN-20771 Microsoft Azure (CVSS 4.4).

The ZDI-CAN-20784 Github vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft GitHub. Authentication is required to exploit this vulnerability. The flaw exists within the configuration of Dev-Containers. The application does not enforce the privileged flag within a dev container configuration. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor. 

The ZDI-CAN-20771 Microsoft Azure vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability. The flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

Going beyond delivering value to customers, Trend Micro announced last month that it aims to improve knowledge and skills across the industry by bringing research to life through experiential learning opportunities at Black Hat 2023.

“At the top of the bill is an interactive Capture the Flag challenge, ‘Hack a Hospital,’ in which participants can play the role of a Red Teamer to help the fictitious St. Isidore Memorial hospital test its cybersecurity posture – and win prizes in the process,” the company said. “The event’s kill chain follows the common Tactics, Techniques, and Procedures (TTP) of the most active ransomware groups of 2023, including Blackbasta, CLOP, Lockbit, and Royal. At the end of the exercise, professional incident response engineers will deliver a threat hunting walkthrough of the kill chain that players executed to demonstrate how attacks can be detected and stopped at an early stage.”

Last month, Midnight Blue research disclosed the presence of five zero-day vulnerabilities, two of which are deemed critical that affect the Terrestrial Trunked Radio (TETRA) standard used globally by law enforcement, military, critical infrastructure, and industrial asset owners in the power, oil and gas, water, and transport sectors and beyond.

Industrial Cyber News Desk

Industrial Cyber News Desk