A quick guide to vulnerabilities - what they are, how they can be exploited, and the consequences of exploitation.
The program containing the weakness may be the operating system of a device, or it may be a program installed it.
Some vulnerabilities are discovered by 'white hat' security researchers, who usually report the issue to the software vendors through established bug bounty programs (such as our Vulnerability Reward Program). Others are found by attackers, who put their discoveries to more harmful use.
Vulnerabilities usually arise when a researcher or attacker discovers that part of a program's code can be forced to run in an unexpected way, which results in undesirable behavior. Each vulnerability is unique, so attackers need to use a specific piece of code or method (known as an exploit) to trigger the unexpected behavior.
Some vulnerabilities can only be exploited by an attacker working locally, either with direct access to the device itself or over a local network. In these cases, the attacker may be an authorized user trying to gain unauthorized privileges or access, or an on-the-spot intruder.
If a device with a vulnerability is connected to a network such as the Internet, it may be possible for attackers working remotely to exploit it. There are a number of ways a remote attacker can exploit such a flaw:
If a vulnerability is found and exploited before the program's vendor has released a patch for it, it is known as a 'zero-day vulnerability', and attacks against it are known as 'zero-day attacks'.
These attacks are considered dangerous because they are usually hard to spot and deflect. Examples of attacks that have used zero-day vulnerabilities to devastating effect include:
Most vendors will release an advisory offering workarounds or mitigation strategies that users or organizations can deploy while waiting for an official patch to be released.
When an attacker successfully exploits a vulnerability, they can perform unauthorized actions on the affected program or device. The actions they can take depend on the severity of the vulnerability that is targeted.
Vulnerabilities are given a severity rating based on two factors: how easy the weakness is to exploit; and the impact exploiting it can have on the program, device or data. Though each security product vendor may use slightly differing criteria to rate vulnerabilities, most have very similar rating scales:
No visible sign of infection, no visible user interaction
The most damaging vulnerabilities. If successfully exploited, an attacker can:
Require some form of user interaction
These vulnerabilities usually involve manipulating the user, for example by using fraudulent prompts or messages. If successfully exploited, the attacker can compromise data or resources on the device
Exposure may be mitigated by certain product and/or setup conditions
These vulnerabilities can only be exploited if they are not protected by known workarounds or mitigating factors. If successfully exploited, the attacker can compromise data or resources on the device
Requires specific product and/or setup conditions
These vulnerabilities can only be exploited when the program or setup meet specific conditions. If successfully exploited, the attacker can compromise data or resources on the device.
Security researchers use the term 'attack surface' to collectively refer to all the vulnerabilities or potential attack channels that can be used to affect a device. Regular users can minimize or close these weak points for their own devices by taking various precautions or actions, in a strategy known as 'attack surface reduction (ASR)'.
The simplest, and most effective safeguard against known vulnerabilities is to keep the device's operating system and all installed programs up-to-date with the latest security patches published by the programs' vendors.
Most vendors' websites will have information about the latest security updates available for their programs. For example, Security Advisories has a list of all known vulnerabilities reported for F-Secure products, and includes links to appropriate patches.
Other pro-active steps you can take will vary depending on how your device is set up and used, but can include: