English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeThreatsVulnerabilities and hackersSoftware vulnerabilities

Software vulnerabilities

The term 'vulnerability' is often mentioned in connection with computer security, in many different contexts.

In its broadest sense, the term 'vulnerability' is associated with some violation of a security policy. This may be due to weak security rules, or it may be that there is a problem within the software itself. In theory, all computer systems have vulnerabilities; whether or not they are serious depends on whether or not they are used to cause damage to the system.

There have been many attempts to clearly define the term 'vulnerability' and to separate the two meanings. MITRE, a US federally funded research and development group, focuses on analysing and solving critical security issues. The group has produced the following definitions:

According to MITRE's CVE Terminology:

[...] A universal vulnerability is a state in a computing system (or set of systems) which either:

  • allows an attacker to execute commands as another user
  • allows an attacker to access data that is contrary to the specified access restrictions for that data
  • allows an attacker to pose as another entity
  • allows an attacker to conduct a denial of service

MITRE believes that when an attack is made possible by a weak or inappropriate security policy, this is better described as 'exposure':

An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:

  • allows an attacker to conduct information gathering activities
  • allows an attacker to hide activities
  • includes a capability that behaves as expected, but can be easily compromised
  • is a primary point of entry that an attacker may attempt to use to gain access to the system or data is considered a problem according to some reasonable security policy

When trying to gain unauthorized access to a system, an intruder usually first conducts a routine scan (or investigation) of the target, collects any 'exposed' data, and then exploits security policy weaknesses or vulnerabilities. Vulnerabilities and exposures are therefore both important points to check when securing a system against unauthorized access.

What we detect
Spam and phishing
Vulnerabilities and hackers
Software vulnerabilities
Vulnerabilities examples
Basic vulnerabilities statistics
How to detect a hacker attack
An analysis of hacker mentality
A brief history of hacking
Notable hackers
Hackers and the law
Internal threats

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search