Talos Vulnerability Discovery Year in Review - 2018

Introduction

Cisco Talos’ Vulnerability Discovery Team investigates software and operating system vulnerabilities in order to discover them before malicious threat actors. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. Once these patches become available, the Talos detection content becomes public, as well. You can find all of the release information via the Talos vulnerability information page here.

Over the past several years, our research team has improved the pace at which we disclose vulnerabilities. Talos increased the number of vulnerabilities it disclosed 22 percent year-over-year, and we hope to continue to grow that number. As of Oct. 23, Cisco has updated it’s vendor vulnerability and discovery policy. You can read the complete details here.

Philosophy

Our coordinated disclosure philosophy involves working closely with vendors to address the vulnerabilities discovered by our team. Our focus is to protect customers and share this data in coordination with the software vendor. Responsible reporting involves working within the policy outlined below, while also ensuring the vendor has an opportunity to resolve the issue in a timely manner.

Timeline of actions to be taken by Cisco

In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.

Reporting on Talosintelligence.com

The Talos Vulnerability DiscoveryTeam released more than 200 advisories in Cisco’s fiscal year 2017, resulting in 202 CVEs. In FY2018 (period ended July 31, 2018), the team increased the discovery total to 251 advisories, which led to nearly 400 CVEs. During FY2018, Talos contributed at least one vulnerability in every Adobe Reader bulletin, 20 vulnerabilities in Foxit PDF Reader, more than 90 advisories for internet-of-things (IoT) devices, eight vulnerabilities in Natus Neuroworks (EEG software), as well as various vulnerabilities in: VMWare, Nvidia Graphics Drivers, OpenOffice, Intel Graphics Drivers, Ethereum applications, and Google PDFium.

FY2018 saw a marked increase in the number of IoT vulnerabilities identified. As IoT devices increase their market share and devices proliferate the associated vulnerabilities are increasing as server exploitation continues to decline.

Conclusion

Finding and disclosing zero-day vulnerabilities via coordinated disclosure helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort, developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers, as well as having dedicated resources working to ensure clear communication and coordination. These developments help secure the platforms and software customers use and also help provide insight into how Talos can improve its own processes.

For vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.