A quick guide to vulnerabilities - what they are, how they can be exploited, and the consequences of exploitation.
A vulnerability is a weakness in a program that can be exploited to perform unauthorized actions.
The program containing the weakness may be the operating system of a device, or it may be a program installed it.
Some vulnerabilities are discovered by 'white hat' security researchers, who usually report the issue to the software vendors through established bug bounty programs (such as our Vulnerability Reward Program). Others are found by attackers, who put their discoveries to more harmful use.
Exploiting a vulnerability
How can vulnerabilities be exploited?
Vulnerabilities usually arise when a researcher or attacker discovers that part of a program's code can be forced to run in an unexpected way, which results in undesirable behavior. Each vulnerability is unique, so attackers need to use a specific piece of code or method (known as an exploit) to trigger the unexpected behavior.
Some vulnerabilities can only be exploited by an attacker working locally, either with direct access to the device itself or over a local network. In these cases, the attacker may be an authorized user trying to gain unauthorized privileges or access, or an on-the-spot intruder.
If a device with a vulnerability is connected to a network such as the Internet, it may be possible for attackers working remotely to exploit it. There are a number of ways a remote attacker can exploit such a flaw:
- Exploit kits
The user is lured into opening a website on their device. The site hosts an exploit kit that probes the device for vulnerabilities and tries to exploit them
- Direct exploitation
A flaw in the way devices connect to the Internet allow it to exploited
If a vulnerability is found and exploited before the program's vendor has released a patch for it, it is known as a 'zero-day vulnerability', and attacks against it are known as 'zero-day attacks'.
These attacks are considered dangerous because they are usually hard to spot and deflect. Examples of attacks that have used zero-day vulnerabilities to devastating effect include:
Most vendors will release an advisory offering workarounds or mitigation strategies that users or organizations can deploy while waiting for an official patch to be released.
0-day Fixes lists detections used by F-Secure products to safeguard users against zero-day vulnerabilities reported in Microsoft's latest Security Advisories.
Impact and consequences
When an attacker successfully exploits a vulnerability, they can perform unauthorized actions on the affected program or device. The actions they can take depend on the severity of the vulnerability that is targeted.
Vulnerabilities are given a severity rating based on two factors: how easy the weakness is to exploit; and the impact exploiting it can have on the program, device or data. Though each security product vendor may use slightly differing criteria to rate vulnerabilities, most have very similar rating scales:
No visible sign of infection, no visible user interaction
The most damaging vulnerabilities. If successfully exploited, an attacker can:
Require some form of user interaction
These vulnerabilities usually involve manipulating the user, for example by using fraudulent prompts or messages. If successfully exploited, the attacker can compromise data or resources on the device
Exposure may be mitigated by certain product and/or setup conditions
These vulnerabilities can only be exploited if they are not protected by known workarounds or mitigating factors. If successfully exploited, the attacker can compromise data or resources on the device
Requires specific product and/or setup conditions
These vulnerabilities can only be exploited when the program or setup meet specific conditions. If successfully exploited, the attacker can compromise data or resources on the device.
Security researchers use the term 'attack surface' to collectively refer to all the vulnerabilities or potential attack channels that can be used to affect a device. Regular users can minimize or close these weak points for their own devices by taking various precautions or actions, in a strategy known as 'attack surface reduction (ASR)'.
Keeping programs up-to-date
The simplest, and most effective safeguard against known vulnerabilities is to keep the device's operating system and all installed programs up-to-date with the latest security patches published by the programs' vendors.
Most vendors' websites will have information about the latest security updates available for their programs. For example, Security Advisories has a list of all known vulnerabilities reported for F-Secure products, and includes links to appropriate patches.
In addition, Vulnerability Protection lists the latest patches released by the vendors of popular programs. Users are strongly urged to install security patches for programs present on their systems as soon as they are released by the vendor.
Other pro-active steps you can take will vary depending on how your device is set up and used, but can include:
- Connecting only when needed
Disconnect the device from the Internet (including turning off Wi-Fi) when you're not actively using data
- Separate Administrator and user accounts
Use a separate, password-protected Administrator account so that it's harder for an attacker to take total control of the device
- Remove unused or vulnerable programs
Remove programs that are frequently targeted or seldom used. You can also just disable them until needed
- Use an up-to-date antimalware product
Regularly scan your device with a reputable antimalware product to check for issues
- Use encryption
Encrypt data stored on devices (or the device itself) to prevent unauthorized access or use