In computer security, a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorised actions within a computer system. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems. A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack. Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs. Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.
2 Vulnerability and risk factor models
7.1 Vulnerability inventory
8 Vulnerability disclosure date 9 Examples of vulnerabilities
9.1 Software vulnerabilities
10 See also 11 References 12 External links
Definitions ISO 27005 defines vulnerability as:
A weakness of an asset or group of assets that can be exploited by one or more threats
where an asset is anything that has value to the organization, its
business operations and their continuity, including information
resources that support the organization's mission
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
Committee on National Security Systems
Vulnerability — Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.(ITSEC)
The Open Group defines vulnerability in as:
The probability that threat capability exceeds the ability to resist the threat.
Factor Analysis of Information Risk (FAIR) defines vulnerability as:
The probability that an asset will be unable to resist the actions of a threat agent
According FAIR vulnerability is related to Control Strength, i.e. the
strength of a control as compared to a standard measure of force and
the threat Capabilities, i.e. the probable level of force that a
threat agent is capable of applying against an asset.
A weakness in design, implementation, operation or internal control
Data and Computer Security: Dictionary of standards concepts and terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN 0-935859-17-9, defines vulnerability as:
1) In computer security, a weakness in automated systems security procedures, administrative controls, Internet controls, etc., that could be exploited by a threat to gain unauthorized access to information or to disrupt critical processing. 2) In computer security, a weakness in the physical layout, organization, procedures, personnel, management, administration, hardware or software that may be exploited to cause harm to the ADP system or activity. 3) In computer security, any weakness or flaw existing in a system. The attack or harmful event, or the opportunity available to a threat agent to mount that attack.
Matt Bishop and Dave Bailey give the following definition of computer vulnerability:
A computer system is composed of states describing the current configuration of the entities that make up the computer system. The system computes through the application of state transitions that change the state of the system. All states reachable from a given initial state using a set of state transitions fall into the class of authorized or unauthorized, as defined by a security policy. In this paper, the definitions of these classes and transitions is considered axiomatic. A vulnerable state is an authorized state from which an unauthorized state can be reached using authorized state transitions. A compromised state is the state so reached. An attack is a sequence of authorized state transitions which end in a compromised state. By definition, an attack begins in a vulnerable state. A vulnerability is a characterization of a vulnerable state which distinguishes it from all non-vulnerable states. If generic, the vulnerability may characterize many vulnerable states; if specific, it may characterize only one...
National Information Assurance Training and Education Center defines vulnerability:
A weakness in automated system security procedures, administrative controls, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing. 2. A weakness in system security procedures, hardware design, internal controls, etc. , which could be exploited to gain unauthorized access to classified or sensitive information. 3. A weakness in the physical layout, organization, procedures, personnel, management, administration, hardware, or software that may be exploited to cause harm to the ADP system or activity. The presence of a vulnerability does not in itself cause harm; a vulnerability is merely a condition or set of conditions that may allow the ADP system or activity to be harmed by an attack. 4. An assertion primarily concerning entities of the internal environment (assets); we say that an asset (or class of assets) is vulnerable (in some way, possibly involving an agent or collection of agents); we write: V(i,e) where: e may be an empty set. 5. Susceptibility to various threats. 6. A set of properties of a specific internal entity that, in union with a set of properties of a specific external entity, implies a risk. 7. The characteristics of a system which cause it to suffer a definite degradation (incapability to perform the designated mission) as a result of having been subjected to a certain level of effects in an unnatural (manmade) hostile environment.
Vulnerability and risk factor models
A resource (either physical or logical) may have one or more
vulnerabilities that can be exploited by a threat agent in a threat
action. The result can potentially compromise the confidentiality,
integrity or availability of resources (not necessarily the vulnerable
one) belonging to an organization and/or other parties involved
OWASP: relationship between threat agent and business impact
OWASP (see figure) depicts the same phenomenon in slightly different
terms: a threat agent through an attack vector exploits a weakness
(vulnerability) of the system and the related security controls,
causing a technical impact on an IT resource (asset) connected to a
The overall picture represents the risk factors of the risk
susceptibility to humidity susceptibility to dust susceptibility to soiling susceptibility to unprotected storage
insufficient testing lack of audit trail design flaw
unprotected communication lines insecure network architecture
inadequate recruiting process inadequate security awareness
area subject to flood unreliable power source
lack of regular audits lack of continuity plans lack of security
Complexity: Large, complex systems increase the probability of flaws and unintended access points. Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw. Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability. Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
Fundamental operating system design flaws: The operating system
designer chooses to enforce suboptimal policies on user/program
management. For example, operating systems with policies such as
default permit grant every program and every user full access to the
entire computer. This operating system flaw allows viruses and
malware to execute commands on behalf of the administrator.
Internet Website Browsing: Some internet websites may contain harmful
The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: so humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern. Vulnerability consequences
This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (December 2010) (Learn how and when to remove this template message)
The impact of a security breach can be very high. The fact that IT
managers, or upper management, can (easily) know that IT systems and
applications have vulnerabilities and do not perform any action to
prevent the exploit detect and intercept the attack find out the threat agents and prosecute them
Intrusion detection system is an example of a class of systems used to
The information is freely available to the public The vulnerability information is published by a trusted and independent channel/source The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Identifying and removing vulnerabilities
Many software tools exist that can aid in the discovery (and sometimes
removal) of vulnerabilities in a computer system. Though these tools
can provide an auditor with a good overview of possible
vulnerabilities present, they can not replace human judgment. Relying
solely on scanners will yield false positives and a limited-scope view
of the problems present in the system.
Vulnerabilities have been found in every major operating
system including Windows, macOS, various forms of
physical environment of the system the personnel management administration procedures and security measures within the organization business operation and service delivery hardware software communication equipment and facilities and their combinations.
It is evident that a pure technical approach cannot even protect physical assets: one should have administrative procedure to let maintenance personnel to enter the facilities and people with adequate knowledge of the procedures, motivated to follow it with proper care. See Social engineering (security). Four examples of vulnerability exploits:
an attacker finds and uses an overflow weakness to install malware to export sensitive data; an attacker convinces a user to open an email message with attached malware; an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home; a flood damages one's computer systems installed at ground floor.
Software vulnerabilities Common types of software flaws that lead to vulnerabilities include:
Memory safety violations, such as:
Buffer overflows and over-reads Dangling pointers
Input validation errors, such as:
Code injection Cross-site scripting in web applications Directory traversal E-mail injection Format string attacks HTTP header injection HTTP response splitting
Privilege-confusion bugs, such as:
Cross-site request forgery
Privilege escalation Race conditions, such as:
Symlink races Time-of-check-to-time-of-use bugs SQL injection
Blaming the Victim prompting a user to make a security decision without giving the user enough information to answer it Race Conditions Warning fatigue or user conditioning.
Some set of coding guidelines have been developed and a large number of static code analysers has been used to verify that the code follows the guidelines. See also
Computer Security portal
Browser security Computer emergency response team Information security Internet security Mobile security Vulnerability scanner
^ "The Three Tenets of Cyber Security". U.S. Air Force Software
Protection Initiative. Retrieved 2009-12-15.
^ Foreman, P: Vulnerability Management, page 1. Taylor & Francis
Group, 2010. ISBN 978-1-4398-0150-5
^ a b ISO/IEC, "Information technology -- Security
Security advisories links from the Open Directory http://www.dmoz.org/Computers/Security/Advisories_