Articles

Vulnerabilities

A quick guide to vulnerabilities - what they are, how they can be exploited, and the consequences of exploitation.

A vulnerability is a weakness in a program that can be exploited to perform unauthorized actions.

The program containing the weakness may be the operating system of a device, or it may be a program installed it.

Some vulnerabilities are discovered by 'white hat' security researchers, who usually report the issue to the software vendors through established bug bounty programs (such as our Vulnerability Reward Program). Others are found by attackers, who put their discoveries to more harmful use.

Exploiting a vulnerability

How can vulnerabilities be exploited?

Vulnerabilities usually arise when a researcher or attacker discovers that part of a program's code can be forced to run in an unexpected way, which results in undesirable behavior. Each vulnerability is unique, so attackers need to use a specific piece of code or method (known as an exploit) to trigger the unexpected behavior.

Some vulnerabilities can only be exploited by an attacker working locally, either with direct access to the device itself or over a local network. In these cases, the attacker may be an authorized user trying to gain unauthorized privileges or access, or an on-the-spot intruder.

If a device with a vulnerability is connected to a network such as the Internet, it may be possible for attackers working remotely to exploit it. There are a number of ways a remote attacker can exploit such a flaw:

  • Exploit kits
    The user is lured into opening a website on their device. The site hosts an exploit kit that probes the device for vulnerabilities and tries to exploit them
  • Direct exploitation
    A flaw in the way devices connect to the Internet allow it to exploited

Zero-day vulnerabilities

If a vulnerability is found and exploited before the program's vendor has released a patch for it, it is known as a 'zero-day vulnerability', and attacks against it are known as 'zero-day attacks'.

These attacks are considered dangerous because they are usually hard to spot and deflect. Examples of attacks that have used zero-day vulnerabilities to devastating effect include:

Most vendors will release an advisory offering workarounds or mitigation strategies that users or organizations can deploy while waiting for an official patch to be released.

0-day Fixes lists detections used by F-Secure products to safeguard users against zero-day vulnerabilities reported in Microsoft's latest Security Advisories.

Impact and consequences

When an attacker successfully exploits a vulnerability, they can perform unauthorized actions on the affected program or device. The actions they can take depend on the severity of the vulnerability that is targeted.

Vulnerabilities are given a severity rating based on two factors: how easy the weakness is to exploit; and the impact exploiting it can have on the program, device or data. Though each security product vendor may use slightly differing criteria to rate vulnerabilities, most have very similar rating scales:

Severity Consequences

Critical

No visible sign of infection, no visible user interaction

The most damaging vulnerabilities. If successfully exploited, an attacker can:

  • Take total control of the affected device, and data stored on it
  • Use the program or device to launch attacks on other devices connected to it, expanding the circle of potential damage

Important

Require some form of user interaction

These vulnerabilities usually involve manipulating the user, for example by using fraudulent prompts or messages. If successfully exploited, the attacker can compromise data or resources on the device

Moderate

Exposure may be mitigated by certain product and/or setup conditions

These vulnerabilities can only be exploited if they are not protected by known workarounds or mitigating factors. If successfully exploited, the attacker can compromise data or resources on the device

Low

Requires specific product and/or setup conditions

These vulnerabilities can only be exploited when the program or setup meet specific conditions. If successfully exploited, the attacker can compromise data or resources on the device.

Pro-active protection

Security researchers use the term 'attack surface' to collectively refer to all the vulnerabilities or potential attack channels that can be used to affect a device. Regular users can minimize or close these weak points for their own devices by taking various precautions or actions, in a strategy known as 'attack surface reduction (ASR)'.

Keeping programs up-to-date

The simplest, and most effective safeguard against known vulnerabilities is to keep the device's operating system and all installed programs up-to-date with the latest security patches published by the programs' vendors.

Most vendors' websites will have information about the latest security updates available for their programs. For example, Security Advisories has a list of all known vulnerabilities reported for F-Secure products, and includes links to appropriate patches.

In addition, Vulnerability Protection lists the latest patches released by the vendors of popular programs. Users are strongly urged to install security patches for programs present on their systems as soon as they are released by the vendor.

More precautions

Other pro-active steps you can take will vary depending on how your device is set up and used, but can include:

  • Connecting only when needed
    Disconnect the device from the Internet (including turning off Wi-Fi) when you're not actively using data
  • Separate Administrator and user accounts
    Use a separate, password-protected Administrator account so that it's harder for an attacker to take total control of the device
  • Remove unused or vulnerable programs
    Remove programs that are frequently targeted or seldom used. You can also just disable them until needed
  • Use an up-to-date antimalware product
    Regularly scan your device with a reputable antimalware product to check for issues
  • Use encryption
    Encrypt data stored on devices (or the device itself) to prevent unauthorized access or use