Vulnerability (computing)
   HOME

TheInfoList



OR:

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a
threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...
, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the
attack surface The attack surface of a software environment is the sum of the different points (for " attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small a ...
.
Vulnerability management Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be ...
is a cyclical practice that varies in theory but contains common processes which include: discover all assets, prioritize assets, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation - repeat. This practice generally refers to software vulnerabilities in computing systems. Agile vulnerability management refers preventing attacks by identifying all vulnerabilities as quickly as possible. A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected
asset In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can ...
has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an
exploit Exploit means to take advantage of something (a person, situation, etc.) for one's own end, especially unethically or unjustifiably. Exploit can mean: *Exploitation of natural resources *Exploit (computer security) * Video game exploit *Exploitat ...
exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see
zero-day attack A zero-day (also known as a 0-day) is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit ...
.
Security bug Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
( security defect) is a narrower concept. There are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs. Constructs in
programming languages A programming language is a system of notation for writing computer programs. Most programming languages are text-based formal languages, but they may also be graphical. They are a kind of computer language. The description of a programming ...
that are difficult to use properly can manifest large numbers of vulnerabilities.


Definitions

ISO ISO is the most common abbreviation for the International Organization for Standardization. ISO or Iso may also refer to: Business and finance * Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007 * Iso ...
27005 defines vulnerability as: :''A weakness of an asset or group of assets that can be exploited by one or more threats,'' where an ''asset is anything that has value to the organization, its business operations, and their continuity, including information resources that support the organization's mission''
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
RFC 4949 vulnerability as:Internet Engineering Task Force RFC 4949 Internet Security Glossary, Version 2 :'' A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy'' The
Committee on National Security Systems The Committee on National Security Systems (CNSS) is a United States intergovernmental organization that sets policy for the security of the US security systems. Charter, mission, and leadership The National Security Telecommunications and Infor ...
of
United States of America The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territo ...
defined vulnerability in CNSS Instruction No. 4009 dated 26 April 2010
National Information Assurance Glossary Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabul ...
: :''Vulnerability—Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.'' Many NIST publications define vulnerability in IT context in different publications: FISMApedia term provide a list. Between them SP 800-30,NIST SP 800-30 Risk Management Guide for Information Technology Systems
/ref> give a broader one: :'' A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy. '' ENISA defines vulnerability in as: :'' The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event .11compromising the security of the computer system, network, application, or protocol involved.(ITSEC)''
The Open Group The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of servi ...
defines vulnerability in as :''The probability that threat capability exceeds the ability to resist the threat''. Factor Analysis of Information Risk (FAIR) defines vulnerability as:"An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006
;
:''The probability that an asset will be unable to resist the actions of a threat agent'' According to FAIR vulnerability is related to Control Strength, i.e. the strength of control as compared to a standard measure of force and the
threat A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only.
defines vulnerability in
Risk It Risk IT, published in 2009 by ISACA,ISACA THE RISK IT FR ...
framework as: :''A weakness in design, implementation, operation or internal control'' Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, , defines vulnerability as: :''1) In computer security, a weakness in automated systems security procedures, administrative controls, Internet controls, etc., that could be exploited by a threat to gain unauthorized access to information or to disrupt critical processing. 2) In computer security, a weakness in the physical layout, organization, procedures, personnel, management, administration, hardware or software that may be exploited to cause harm to the ADP system or activity. 3) In computer security, any weakness or flaw existing in a system. The attack or harmful event, or the opportunity available to a threat agent to mount that attack.'' Matt Bishop and Dave Bailey give the following definition of computer vulnerability: :''A computer system is composed of states describing the current configuration of the entities that make up the computer system. The system computes through the application of state transitions that change the state of the system. All states reachable from a given initial state using a set of state transitions fall into the class of authorized or unauthorized, as defined by a security policy. In this paper, the definitions of these classes and transitions is considered axiomatic. A vulnerable state is an authorized state from which an unauthorized state can be reached using authorized state transitions. A compromised state is the state so reached. An attack is a sequence of authorized state transitions which end in a compromised state. By definition, an attack begins in a vulnerable state. A vulnerability is a characterization of a vulnerable state which distinguishes it from all non-vulnerable states. If generic, the vulnerability may characterize many vulnerable states; if specific, it may characterize only one...''
National Information Assurance Training and Education Center The National Information Assurance Training and Education Center (NIATEC) is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance ...
defines vulnerability: :''A weakness in automated system security procedures, administrative controls, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. 2. A weakness in system security procedures, hardware design, internal controls, etc. , which could be exploited to gain unauthorized access to classified or sensitive information. 3. A weakness in the physical layout, organization, procedures, personnel, management, administration, hardware, or software that may be exploited to cause harm to the ADP system or activity. The presence of a vulnerability does not in itself cause harm; a vulnerability is merely a condition or set of conditions that may allow the ADP system or activity to be harmed by an attack. 4. An assertion primarily concerning entities of the internal environment (assets); we say that an asset (or class of assets) is vulnerable (in some way, possibly involving an agent or collection of agents); we write: V(i,e) where: e may be an empty set. 5. Susceptibility to various threats. 6. A set of properties of a specific internal entity that, in union with a set of properties of a specific external entity, implies a risk. 7. The characteristics of a system which cause it to suffer a definite degradation (incapability to perform the designated mission) as a result of having been subjected to a certain level of effects in an unnatural (manmade) hostile environment.''


Vulnerability and risk factor models

A resource (either physical or logical) may have one or more vulnerabilities that can be exploited by a threat actor. The result can potentially compromise the
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
,
integrity Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. In ...
or
availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...
of resources (not necessarily the vulnerable one) belonging to an organization and/or other parties involved (customers, suppliers). The so-called
CIA triad Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
is a cornerstone of
Information Security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
. An attack can be ''active'' when it attempts to alter system resources or affect their operation, compromising integrity or availability. A "''passive attack''" attempts to learn or make use of information from the system but does not affect system resources, compromising confidentiality.
OWASP The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open ...
(see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls, causing a technical impact on an IT resource (asset) connected to a business impact. The overall picture represents the
risk factors In epidemiology, a risk factor or determinant is a variable associated with an increased risk of disease or infection. Due to a lack of harmonization across disciplines, determinant, in its more widely accepted scientific meaning, is often use ...
of the risk scenario.


Information security management system

A set of policies concerned with the
information security management system Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The cor ...
(ISMS), has been developed to manage, according to Risk management principles, the
countermeasures A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
to ensure a security strategy is set up following the rules and regulations applicable to a given organization. These countermeasures are also called
Security controls Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the c ...
, but when applied to the transmission of information, they are called security services.


Classification

Vulnerabilities are classified according to the asset class they are related to:ISO/IEC, "Information technology -- Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008 * hardware ** susceptibility to humidity or dust ** susceptibility to unprotected storage ** age-based wear that causes failure ** over-heating * software ** insufficient testing ** insecure coding ** lack of
audit trail An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific ...
** design flaw * network ** unprotected communication lines (e.g. lack of
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
) ** insecure
network architecture Network architecture is the design of a computer network. It is a framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as commun ...
* personnel ** inadequate recruiting process ** inadequate
security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. Many organizations require formal security awareness trainin ...
** insider threat * physical site ** area subject to natural disasters (e.g. flood, earthquake) ** interruption of power source * organizational ** lack of regular audits ** lack of continuity plans ** lack of security


Causes

*Complexity: Large, complex systems increase the probability of flaws and unintended access points. *Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw. *Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability. *Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites. *Fundamental
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
design flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example, operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. *Internet Website Browsing: Some internet websites may contain harmful
Spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their priva ...
or
Adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the ...
that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals. * Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application. *
Unchecked user input Improper input validation or unchecked user input is a type of vulnerability in computer software that may be used for security exploits. This vulnerability is caused when " e product does not validate or incorrectly validates input that can affect ...
: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as
Buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memo ...
s,
SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...
or other non-validated inputs). *Not learning from past mistakes: for example most vulnerabilities discovered in IPv4 protocol software were discovered in the new
IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
implementations. The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: so humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern.


Consequences

The impact of a security breach can be very high. Most legislation sees the failure of IT managers to address IT systems and applications vulnerabilities if they are known to them as misconduct; IT managers have a responsibility to manage
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
. Privacy law forces managers to act to reduce the impact or likelihood of that security risk.
Information technology security audit An information security audit is an audit on the level of information security in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of in ...
is a way to let other independent people certify that the IT environment is managed properly and lessen the responsibilities, at least having demonstrated the good faith.
Penetration test A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...
is a form of verification of the weakness and countermeasures adopted by an organization: a
White hat White hat, white hats, or white-hat may refer to: Art, entertainment, and media * White hat, a way of thinking in Edward de Bono's book ''Six Thinking Hats'' * White hat, part of black and white hat symbolism in film Other uses * White hat (compu ...
hacker tries to attack an organization's information technology assets, to find out how easy or difficult it is to compromise the IT security. The proper way to professionally manage the IT risk is to adopt an Information Security Management System, such as
ISO/IEC 27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled ''Information security, cybersecurity and privacy protect ...
or
Risk IT Risk IT, published in 2009 by ISACA,ISACA THE RISK IT FR ...
and follow them, according to the security strategy set forth by the upper management. One of the key concept of information security is the principle of
defence in depth Defence in depth (also known as deep defence or elastic defence) is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating ...
, i.e. to set up a multilayer defense system that can: * prevent the exploit * detect and intercept the attack * find out the threat agents and prosecute them
Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
is an example of a class of systems used to detect attacks.
Physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
is a set of measures to physically protect an information asset: if somebody can get physical access to the information asset, it is widely accepted that an attacker can access any information on it or make the resource unavailable to its legitimate users. Some sets of criteria to be satisfied by a computer, its operating system and applications in order to meet a good security level have been developed: ITSEC and Common criteria are two examples.


Vulnerability disclosure

Coordinated disclosure (some refer to it as '
responsible disclosure In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible partie ...
' but that is considered a biased term by others) of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
,
TippingPoint TippingPoint, part of Trend Micro Security, is an American software company founded in 1999 with focus on network security products, particularly intrusion prevention systems for networks. History The company was founded in January 1999 under ...
, and
Rapid7 The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. It ...
have issued guidelines and statements addressing how they will deal with disclosure going forward." The other method is typically full disclosure, when all the details of a vulnerability is publicized, sometimes with the intent to put pressure on the software author to publish a fix more quickly. In January 2014 when Google revealed a Microsoft vulnerability before Microsoft released a patch to fix it, a Microsoft representative called for coordinated practices among software companies in revealing disclosures.


Vulnerability inventory

Mitre Corporation maintains an incomplete list of publicly disclosed vulnerabilities in a system called
Common Vulnerabilities and Exposures The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, mainta ...
. This information is immediately shared with the
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
(NIST), where each vulnerability is given a risk score using
Common Vulnerability Scoring System The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioriti ...
(CVSS), Common Platform Enumeration (CPE) scheme, and
Common Weakness Enumeration The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools t ...
. Cloud service providers often don't list security issues in their services using the CVE system. There is currently no universal standard for
cloud computing Cloud computing is the on-demand availability of computer system resources, especially data storage ( cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over mul ...
vulnerability enumeration, severity assessment, and no unified tracking mechanism. Th
Open CVDB
initiative is a community-driven centralized cloud vulnerability database that catalogs CSP vulnerabilities, and lists the steps users can take to detect or prevent these issues in their own environments. OWASP maintains a list of vulnerability classes with the aim of educating system designers and programmers, therefore reducing the likelihood of vulnerabilities being written unintentionally into the software.


Vulnerability disclosure date

The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward. The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement: * The information is freely available to the public * The vulnerability information is published by a trusted and independent channel/source * The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure ;Identifying and removing vulnerabilities Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system. Vulnerabilities have been found in every major operating system including
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
,
macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...
, various forms of
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
and
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).


Locations in which vulnerabilities manifest

Vulnerabilities are related to and can manifest in: * physical environment of the system * the personnel (i.e. employees, management) * administration procedures and security policy * business operation and service delivery * hardware including peripheral devices * software (i.e. on premises or in cloud) * connectivity (i.e. communication equipment and facilities) It is evident that a pure technical approach cannot always protect physical assets: one should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. However, technical protections do not necessarily stop
Social engineering (security) Social engineering may refer to: * Social engineering (political science), a means of influencing particular attitudes and social behaviors on a large scale * Social engineering (security), obtaining confidential information by manipulating and/o ...
attacks. Examples of vulnerabilities: * an attacker finds and uses a buffer overflow weakness to install malware to then exfiltrate sensitive data; * an attacker convinces a user to open an email message with attached malware; * a flood damages one's computer systems installed at ground floor.


Software vulnerabilities

Common types of software flaws that lead to vulnerabilities include: *
Memory safety safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers. For example, Java is said to be memory-safe because its runtime error ...
violations, such as: **
Buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memo ...
s and over-reads **
Dangling pointer Dangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations. More generally, dangling references and wild references ar ...
s * Input validation errors, such as: **
Code injection Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The re ...
**
Cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
in web applications ** Directory traversal **
E-mail injection Email injection is a security vulnerability that can occur in Internet applications that are used to send email messages. It is the email equivalent of HTTP Header Injection. Like SQL injection attacks, this vulnerability is one of a general class ...
** Format string attacks ** HTTP header injection ** HTTP response splitting **
SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...
* Privilege-confusion bugs, such as: **
Clickjacking Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or ...
**
Cross-site request forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced ''sea-surf'') or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitt ...
in web applications **
FTP bounce attack FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the command to request access to ports indirectly through the use of the victim machine, which serves as a proxy for the request, similar to an Open mail relay ...
*
Privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
*
Race conditions A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of ...
, such as: ** Symlink races **
Time-of-check-to-time-of-use In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the ''checking'' of the state of a part of a system (such as a security credential) and the ''use'' ...
bugs *
Side-channel attack In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algori ...
**
Timing attack In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and ...
*
User interface In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine f ...
failures, such as: **
Blaming the Victim Victim blaming occurs when the victim of a crime or any wrongful act is held entirely or partially at fault for the harm that befell them. There is historical and current prejudice against the victims of domestic violence and sex crimes, such as ...
prompting a user to make a security decision without giving the user enough information to answer it **
Race Condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is Sequential logic, dependent on the sequence or timing of other uncontrollable events. It becomes a software ...
s **Warning fatigue or user conditioning. Some set of coding guidelines have been developed and a large number of static code analyzers has been used to verify that the code follows the guidelines.


See also

*
Browser security Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-si ...
*
Computer emergency response team A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more modern ...
*
Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules ...
*
Mobile security Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business ...
*
Vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detecti ...
*
Coordinated vulnerability disclosure In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties ...
* Full disclosure


References


External links

* * Security advisories links from the Open Directory http://dmoz-odp.org/Computers/Security/Advisories_and_Patches/ {{DEFAULTSORT:Vulnerability (Computing) Vulnerability Hacking (computer security) Security compliance Software testing