Looking Back at Fortinet’s Security Research and Vulnerability Discoveries

In an effort to provide more proactive protections in Fortinet products and to more effectively identify and defeat network threats, the Fortinet security research team works on discovering potential threats in popular products. As a result, over the past year we have discovered 84 vulnerabilities that have been reported to their respective vendors as part of our responsible vulnerability disclosure process. Fortinet protections against these discoveries were released to Fortinet products at the same time these vulnerabilities were reported to their vendors. As a result, Fortinet products have been able to proactively protect Fortinet customers’ networks and systems against zero-day attacks targeting these vulnerabilities long before vendor patches for them became available.

Of the 84 vulnerabilities we have discovered, vendors have patched 41 of them, 24 have been confirmed and are being patched by the vendors, and vendors are currently investigating 19 of them. See the Figure 1 below.

Figure 1. Vulnerabilities categorized by status

You can find all of the patched vulnerabilities by clicking here and searching for "FG-VD-16". Clicking here and searching for "FG-VD-16" will let you find the unpatched vulnerabilities. Looking through the vulnerability list you will find that vulnerable products include products from large tech companies such as Microsoft, IBM, Google, and Adobe.

When evaluating the severity of these 84 vulnerabilities, we rated 14 of them as Critical, 45 of them as High, 22 of them as Medium, and 3 of them as Low. See Figure 2, below.

Figure 2. Vulnerabilities categorized by severity

To help users better understand the root cause and risks of these vulnerabilities, Fortinet security researchers have written a number of deep analysis reports and posted them in Fortinet security research blogs. You can read these reports by selecting the following links:

• Multiple_IBM_BigInsights_XSS_Vulnerabilities
• WooCommerce Tax Rates Cross-Site Scripting Vulnerability
• Microsoft Kernel Integer Overflow Vulnerability
• IBM Rational Collaborative Lifecycle Management XSS Vulnerability
• Microsoft Removed Journal From Windows Due To Security Issues
• Deep Analysis of CVE-2016-3820 – Remote Code Execution Vulnerability in Android Mediaserver
• Analysis of CVE-2016-4203 – Adobe Acrobat and Reader CoolType Handling Heap Overflow Vulnerability
• Analysis of Use-After-Free Vulnerability (CVE-2016-4119) in Adobe Acrobat and Reader
• Analysis of CVE-2016-2414 – Out-of-Bound Write Denial of Service Vulnerability in Android Minikin Library

As a security development and research company, protecting our customers in a proactive way is our highest goal. Which is why we have dedicated so many security research team members and resources to uncover vulnerabilities in widely used products. The more potential threats we can discover, the more protections we can add to our products, allowing us to better protect our customers against zero-day attacks.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.