Vulnerability (computer security)

For other uses of the word "Vulnerability", please refer to vulnerability.

In computer security, the word vulnerability refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the data and applications it hosts. Vulnerabilities may result from bugs or design flaws in the system. A vulnerability can exist either only in theory, or could have a known exploit. Vulnerabilities are of significant interest when the program containing the vulnerability operates with special privileges, performs authentication or provides easy access to user data or facilities (such as a network server or RDBMS).

Vulnerabilities often result from the carelessness of a programmer, though they may have other causes. A vulnerability usually allows an attacker to trick the application into (for example) bypassing access control checks or executing commands on the system hosting the application.

Some vulnerabilities arise from un-sanitized user input, often allowing the direct execution of commands or SQL statements (known as SQL injection). Others arise from the programmer's failure to check the size of data buffers, which can then be overflowed, causing corruption of the stack or heap areas of memory (including causing the computer to execute code provided by the attacker).

The method of disclosing vulnerabilities is a topic of debate in the computer security community. Some advocate immediate full disclosure of information about vulnerabilities once they are discovered. Others argue for limiting disclosure to the users placed at greatest risk, and only releasing full details after a delay, if ever. Such delays may allow those notified to fix the problem by developing and applying patches, but may also increase the risk to those not privy to full details. This debate has a long history in security; see full disclosure and security through obscurity. More recently a new form of commercial vulnerability disclosure has taken shape, see for example TippingPoint's Zero Day Initiative.

The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as "a kind of public disclosure of security information by a certain party". Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterwards.

The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fullfill the following requirement:

• the information is freely available to the public
• the vulnerability information is published by a trusted and independent channel/source
• the vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure

From the security perspective, only a free and public disclosure can ensure that all interested parties get the relevant information. Security through obscurity is a concept that never worked.

The source of the vulnerability disclosure must be independent of a vendor or a government. It has to be unbiased to enable a fair dissemination of security critical information. A channel is considered trusted when it is a widely accepted source of security information in the industry (e.g CERT, SecurityFocus and Secunia).

Analysis and risk rating ensure the quality of the disclosed information. The mere discussion on a potential flaw in a mailing list or vage information from a vendor do therefore not qualify. The analysis must include enough details to allow a concerned user of the software to assess his individual risk or take immediate action to protect his assets.

Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system.

Vulnerabilities have been found in every major operating system including Windows, Mac OS, various forms of Unix and Linux, OpenVMS, and others. The only way to reduce the chance of a vulnerability being used against a system is through constant vigilance, including careful system maintenance (e.g. applying software patches), best practices in deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).

Well known vulnerabilities include (but are not limited to)

• stack smashing and other buffer overflows
• symlink races
• input validation errors, such as:
  • format string bugs
  • improperly handling shell metacharacters so they are interpreted
  • SQL injection
  • cross-site scripting (in web applications)
  • directory traversal
• time-of-check-to-time-of-use race conditions
• Session hijacking

• Exploit (computer science),
• computer security
• Common Vulnerabilities and Exposures (CVE)

• Empirical analysis of vulnerability disclosure dates for 14'000 vulnerabilites since 1996
• Open Source Vulnerability Database homepage
• Security Focus Vulns Archive
• Packet Storm (vulnerability and tool archives)
• NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project
• The Microsoft Security Response Center definition