A quick guide to vulnerabilities - what they are, how they can be exploited, and the consequences of exploitation.
What is a Vulnerability?
A general definition of a vulnerability is:
An unintentional weakness in a product that a) can be accessed by an unauthorized party; b) can be exploited to perform unauthorized actions; and c) requires the product vendor to develop and release a patch to fix the issue.
In digital security, the product containing the weakness is usually (but not always) a piece of software - for example, the operating system of a device such as a PC, tablet or mobile phone, or a program installed it.
Vulnerabilities usually arise when a certain section of code in a program is forced to run in an unintended manner or scenario, resulting in unexpected, and usually undesirable, behavior. The triggers that cause such an effect are often very specific to the code in question, but can range from questionable user input, suboptimal user authorization or resource management, or even simply bugs in the software.
How can they be exploited?
Some vulnerabilities can only be exploited by an attacker working locally, either with direct access to the device itself or over a local network. In such cases, the attacker may be an authorized user trying to gain unauthorized privileges or access, or an on-the-spot intruder.
If a device is connected to a network (such as the Internet) and contains a vulnerability that can be exploited over the network, it may also be targeted by remote attackers.
If a vulnerability is found and exploited before the product vendor has released a patch for it, the vulnerability is known as a 'zero-day'; attacks against it are correspondingly said to be 'zero-day attacks'.
Such attacks are commonly considered dangerous because they are often difficult to spot and deflect. Most vendors will release an advisory offering workarounds or mitigation strategies users may employ while waiting for an official patch to be released.
0-day Fixes also lists detections used by F-Secure products to safeguard users against zero-day vulnerabilities reported in Microsoft's latest Security Advisories.
What are the consequences
A successfully exploited vulnerability can be used to perform various undesirable actions, including:
- Remotely taking complete control of the affected device, and therefore of the data stored on it;
- Forcing the device to grant the attacker more user privileges;
- Circumventing a feature intended to maintain the program's security or integrity;
- Preventing a program or a service from functioning normally, and;
- Stealing data from the device or an accessible database.
In some cases, one vulnerability is attacked as a stepping stone to aid in further, more damaging attacks against other vulnerabilities.
Severity of Impact
Most information security services rate vulnerabilities based on a combination of how difficult the weakness is to exploit and the impact its exploitation can have on the integrity of an affected program, the device, and/or the user's data:
- Vulnerabilities rated as Critical can be exploited by an attacker without displaying any overt sign to the user, or requiring any visible interaction. Successful exploitation allows the attacker to take total control of the affected device, and the user's data on it. In extreme cases, an attacker may even be able to use the controlled system to further attack other devices connected to it, expanding the circle of potential damage.
- Vulnerabilities rated as Important can be exploited by an attacker and require some form of user interaction, usually via fraudulent prompts or messages. Successful exploitation allows the attacker to compromise data or resources on the affected device.
- Vulnerabilities rated as Moderate can be exploited by an attacker, but exposure may be mitigated by certain product and/or setup conditions. Successful exploitation allows the attacker to compromise data or resources on the affected device.
- Vulnerabilities rated as Low require specific product and/or setup conditions in order for an attacker to successfully exploit it. Successful exploitation allows the attacker to compromise data or resources on the affected device.
Among security researchers, the various vulnerabilities that an attacker can exploit in a user's device setup are sometimes collectively referred to as the 'attack surface'. Precautions or measures used to minimize or close such channels and pro-actively prevent attacks is part of an information security strategy known as 'attack surface reduction (ASR)'.
For a normal user, the simplest, and most effective safeguard against known vulnerabilities is to keep the device's operating system, and all installed programs, up-to-date with the latest updates published by the vendor(s).
Other pro-active steps a user can take involve minimizing their attack surface. These actions will vary depending on how the device is set up and used, but may include:
- Creating and using a separate account with fewer user rights for all online activities, rather than using the default Administrator account;
- Using a 'hardened', sandboxed or VM-ware-based web browser for accessing the Internet;
- Disconnecting the device from the Internet unless necessary;
- Identifying programs on the device that are known to be frequently targeted for attack; if they are unneeded, uninstall them, or otherwise disable them unless and until needed;
- Encrypting data stored on devices and/or encrypting the devices themselves, to prevent unauthorized access or use of either;
- Using antivirus software that includes an exploit-detection module (e.g., DeepGuard) and keeping it up-to-date with the latest detection databases.
Most product vendors' websites will have more information about the latest security updates available for their programs. For example, Security Advisories has a list of all known vulnerabilities reported for F-Secure products, and includes links to appropriate patches.
In addition, Vulnerability Protection lists the latest patches released by the vendors of popular programs. Users are strongly urged to install security patches for programs present on their systems as soon as they are released by the vendor.