Vulnerability (computing)

In computer security, the term vulnerability is a weakness which allows an attacker to reduce a system's Information Assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw^[1] . To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

A security risk may be classified as a vulnerability. A vulnerability with one or more known instances of working and fully-implemented attacks is classified as an exploitable vulnerability - a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Contents 1 Causes 2 Vulnerability disclosure 3 Vulnerability disclosure date 4 Identifying and removing vulnerabilities 5 Examples of vulnerabilities 6 See also 7 References 8 External links

Causes

• Complexity: Large, complex systems increase the probability of flaws and unintended access points
• Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw
• Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability
• Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites.
• Fundamental operating system design flaws: The operating system designer chooses to enforce sub optimal policies on user/program management. For example operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. [1]
• Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.
• Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application.
• Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs).

Vulnerability disclosure

Responsible disclosure of vulnerabilities is a topic of great debate. As reported by The Tech Herald in August 2010, "Google, Microsoft, TippingPoint, and Rapid7 have recently issued guidelines and statements addressing how they will deal with disclosure going forward."^[2]

A responsible disclosure first alerts the affected vendors confidentially before alerting CERT two weeks later, which grants the vendors another 45 day grace period before publishing a security advisory.^[3]

Security researchers catering to the needs of the cyberwarfare or cybercrime industry have stated that this approach does not provide them with adequate income for their efforts.^[4] Instead, they offer their exploits privately to enable Zero day attacks.

Vulnerability disclosure date

The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterward.

The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfill the following requirement:

• The information is freely available to the public
• The vulnerability information is published by a trusted and independent channel/source
• The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure

Identifying and removing vulnerabilities

Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.

Vulnerabilities have been found in every major operating system including Windows, Mac OS, various forms of Unix and Linux, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).

Examples of vulnerabilities

Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, a SQL injection or misconfiguration. Three examples: an attacker finds and uses an overflow weakness to install malware to export sensitive data; an attacker convinces a user to open an email message with attached malware; an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home.

In the system context, computer users can also be considered flaws, see Social engineering (security).

Common types of software flaws that lead to vulnerabilities include:

• Memory safety violations, such as:
  • Buffer overflows
  • Dangling pointers
• Input validation errors, such as:
  • Format string bugs
  • Improperly handling shell metacharacters so they are interpreted
  • SQL injection
  • Code injection
  • E-mail injection
  • Directory traversal
  • Cross-site scripting in web applications
  • HTTP header injection
  • HTTP response splitting
• Race conditions, such as:
  • Time-of-check-to-time-of-use bugs
  • Symlink races
• Privilege-confusion bugs, such as:
  • Cross-site request forgery in web applications
  • Clickjacking
  • FTP bounce attack
• Privilege escalation
• User interface failures, such as:
  • Warning fatigue [2] or user conditioning [3]
  • Blaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it [4]
  • Race Conditions [5] [6]

See also

• Exploit (computer security)
• Full disclosure
• Computer security
• Computer insecurity
• Common Vulnerabilities and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS)
• Metasploit
• Month of Bugs
• Vulnerability management
• w3af
• Y2K

References

External links

• Security advisories links from the Open Directory http://www.dmoz.org/Computers/Security/Advisories_and_Patches/
• Languages Standard's group: Guidance for Avoiding Vulnerabilities through Language Selection and Use
• Microsoft Security Response Center: Definition of a Security Vulnerability
• List of fixes that are included in Windows XP Service Pack 3
• NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project
• Open Source Vulnerability Database (OSVDB) homepage
• Open Web Application Security Project
• Common Vulnerabilities and Exposures (CVE)
• IBM Internet Security Systems (ISS) X-Force research and development team
• ITWIRE: Apple tops vulnerability list, but Microsoft still ahead on exploits August 11, 2008