11.5 C
Saturday, October 21, 2017
Home Tags Vulnerabilities

Tag: Vulnerabilities

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Lenovo customers are being told to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices.
On October 16th, 2017, a research paper with the title of "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available.

This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protecte...
A flawed Infineon Technology chipset left HP, Lenovo and Microsoft devices open to what is called a 'practical factorization attack,' in which an attacker computes the private part of an RSA key.
Adobe today released an out-of-band Flash Player update addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group called Black Oasis.
The KRACK, or key reinstallation attack, disclosed today allow attackers to decrypt encrypted traffic, steal data and inject malicious code depending on the network configuration.
Researchers unearth new tactics and strategies used by the criminals behind the hacking group known as Bronze Butler.
Hyatt said its payment systems have been breached, exposing credit card data from 41 hotels in 11 countries between March and July this year.
Three malicious Chrome extensions spoofing AdBlock Plus were removed from the Chrome Web Store this week.
Staff writer Chris Brook says farewell to Threatpost after eight years on the site. He and Mike Mimoso talk about Threatpost's early days and how the site grew up alongside the security industry.
A forgotten feature in Microsoft Office allows attackers to bypass antivirus scanners and pull off document-based attacks to install malware.
Researchers say in a 30-day period cybercriminals behind the Locky ransomware have updated the malware three times and have stepped up spam campaigns.
Equifax has temporarily taken down one of its consumer-facing credit report services after the webpage was compromised and serving adware via a phony Flash Player download.