In
computer securityComputer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain...
, the term
vulnerability is a weakness which allows an attacker to reduce a system's
Information AssuranceInformation assurance is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation...
.
Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the
attack surfaceThe attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
.
A security risk may be classified as a vulnerability.
In
computer securityComputer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain...
, the term
vulnerability is a weakness which allows an attacker to reduce a system's
Information AssuranceInformation assurance is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation...
.
Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the
attack surfaceThe attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
.
A security risk may be classified as a vulnerability. A vulnerability with one or more known instances of working and fully-implemented attacks is classified as an
exploitAn exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
. The
window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.
Causes
- Complexity: Large, complex systems increase the probability of flaws and unintended access points
- Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw
- Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability
- Password management flaws: The computer user uses weak passwords
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it...
that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
- Fundamental operating system design flaws: The operating system designer chooses to enforce sub optimal policies on user/program management. For example operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. http://www.ranum.com/security/computer_security/editorials/dumb/
- Internet Website Browsing: Some internet websites may contain harmful Spyware
Spyware is a type of malware that is installed on computers and that collects information about users without their knowledge. The presence of spyware is typically hidden from the user. Typically, spyware is secretly installed on the user's personal computer...
or AdwareAdware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used...
that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.
- Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application.
- Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer outside the memory the programmer set aside for it. The extra data overwrites adjacent memory, which may contain other data, including program variables and program...
s, SQL injectionSQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not...
or other non-validated inputs).
Vulnerability disclosure
The method of disclosing vulnerabilities is a topic of debate in the computer security community. Some advocate immediate
full disclosureIn computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
of information about vulnerabilities once they are discovered. Others argue for limiting disclosure to the users placed at greatest risk, and only releasing full details after a delay, if ever. Such delays may allow those notified to fix the problem by developing and applying
patchA patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
es, but may also increase the risk to those not privy to full details. This debate has a long history in security; see
full disclosureIn computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
and
security through obscuritySecurity through obscurity is a principle in security engineering, which attempts to use secrecy to provide security...
. More recently a new form of commercial vulnerability disclosure has taken shape, as some commercial security companies offer money for exclusive disclosures of zero day vulnerabilities. Those offers provide a legitimate market for the purchase and sale of vulnerability information from the security community.
From the security perspective, a free and public disclosure is only successful if the affected parties get the relevant information prior to potential hackers, if they did not the hackers could take immediate advantage of the revealed exploit. With Security Through Obscurity the same rule applies, but this time rests on the hackers finding the vulnerability themselves, as opposed to being given the information from another source. The disadvantage here is that there is a lower number of people with full knowledge of the vulnerability who can aid in finding similar or related scenarios.
It should be unbiased to enable a fair dissemination of security critical information. Most often a channel is considered trusted when it is a widely accepted source of security information in the industry (e.g
CERTCert or CERT may refer to:* Certificate, an official document** Shorthand for "certification", as in Information Technology certification* Certiorari, a Latin legal term for a court order requiring judicial review of a case...
, SecurityFocus, and
SecuniaSecunia is a Danish computer security service provider best known for tracking vulnerabilities in more than 12,400 pieces of software and operating systems....
).
Analysis and risk rating ensure the quality of the disclosed information. The analysis must include enough details to allow a concerned user of the software to assess his individual risk or take immediate action to protect his or her assets.
Vulnerability disclosure date
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.
The
time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:
- The information is freely available to the public
- The vulnerability information is published by a trusted and independent channel/source
- The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Identifying and removing vulnerabilities
Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.
Vulnerabilities have been found in every major
operating systemAn operating system is an interface between hardware and user which is responsible for the management and coordination of activities and the sharing of the resources of the computer that acts as a host for computing applications run on the machine. As a host, one of the purposes of an operating...
including
WindowsMicrosoft Windows is a series of software operating systems and graphical user interfaces produced by Microsoft. Microsoft first introduced an operating environment named Windows in November 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces...
,
Mac OSMac OS is the trademarked name for a series of graphical user interface-based operating systems developed by Apple Inc. for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface...
, various forms of
UnixUnix is a computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and
LinuxLinux is a generic term referring to Unix-like computer operating systems based on the Linux kernel. Their development is one of the most prominent examples of free and open source software collaboration; typically all the underlying source code can be used, freely modified, and redistributed,...
,
OpenVMSOpenVMS , previously known as VAX-11/VMS, VAX/VMS or VMS, is the name of a high-end computer server operating system that runs on VAX, Alpha and Itanium-based families of computers...
, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of
firewallsA firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications...
and
access controlAn access control system is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a...
s) and auditing (both during development and throughout the deployment lifecycle).
Examples of vulnerabilities
Vulnerabilities may result from weak passwords,
software bugA software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
s, a
computer virusA computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability...
or other
malwareMalware, short for malicious software, is software designed to infiltrate a computer without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code...
, a script
code injectionCode injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a Code Injection attack can be disastrous...
, a
SQL injectionSQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not...
or misconfiguration. Three examples: an attacker finds and uses an overflow weakness to install malware to export sensitive data; an attacker convinces a user to open a email message with attached malware; an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home.
In the system context, computer users can also be considered flaws, see
Social engineering (security)Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in...
.
Common types of software flaws that lead to vulnerabilities include:
- Memory safety
Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities dealing with RAM memory access, such as buffer overflows and dangling pointers....
violations, such as:
- Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer outside the memory the programmer set aside for it. The extra data overwrites adjacent memory, which may contain other data, including program variables and program...
s
- Dangling pointer
Dangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type.Dangling pointers arise when an object is deleted or deallocated, without modifying the value of the pointer, so that the pointer still points to the memory location...
s
- Input validation
In computer science, data validation is the process of ensuring that a program operates on clean, correct and useful data. It uses routines, often called "validation rules" or "check routines", that check for correctness, meaningfulness, and security of data that are input to the system...
errors, such as:
- Format string bugs
- Improperly handling shell
A Unix shell is a command-line interpreter and script host that provides a traditional user interface for the Unix operating system and for Unix-like systems...
metacharacterA metacharacter is a character that has a special meaning to a computer program, such as a shell interpreter or a regular expression engine.- Examples :...
s so they are interpreted
- SQL injection
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not...
- Code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a Code Injection attack can be disastrous...
- E-mail injection
- Directory traversal
A directory traversal is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs....
- Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access...
in web applications
- HTTP header injection
HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting and cross-site scripting attacks...
- HTTP response splitting
HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values...
- Race conditions, such as:
- Time-of-check-to-time-of-use
A time-of-check-to-time-of-use bug is a software bug caused by changes in a system between the checking of a condition and the use of the results of that check...
bugs
- Symlink race
A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner. A malicious user can create a symbolic link to a file not otherwise accessible to him or her...
s
- Privilege-confusion
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
bugs, such as:
- Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
in web applications
- Clickjacking
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages...
- FTP bounce attack
FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request....
- Privilege escalation
Privilege escalation is the act of exploiting a bug or design flaw in a software application to gain access to resources which normally would have been protected from an application or user...
- User interface
The user interface is the aggregate of means by which people—the users—interact with the system—a particular machine, device, computer program or other complex tool...
failures, such as:
See also
- Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
- Computer security
Computer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain...
- Computer insecurity
Many current computer systems have only limited security precautions in place. This computer insecurity article describes the current battlefield of computer security exploits and defenses...
- Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures...
(CVE)
- Common Vulnerability Scoring System
Common Vulnerability Scoring System is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized...
(CVSS)
- Y2K
External links