Home Tags Vulnerability

Tag: Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Cisco Patches XXE, DOS, Code Execution Vulnerabilities

Cisco patched three vulnerabilities in three products this week that if exploited, could have resulted in a denial of service, crash and in some instances, arbitrary and remote code execution.

Average Cost of Breach Goes Down For the First Time Ever

The good news is the cost of a data breach is down double-digits, the bad news the size and scope of breaches is creeping up.

Microsoft Says Fireball Threat ‘Overblown’

Check Point has toned down its initial estimates on the number of Fireball malware infections from 250 million machines and 20 percent of corporate networks to 40 million computers.

Drupal Patches Three Vulnerabilities in Core Engine

Developers with Drupal patched three vulnerabilities, one critical, one being exploited in the wild, in Drupalrsquo;s core engine on Wednesday.

GhostHook Attack Bypasses Windows 10 PatchGuard

Researchers at CyberArk have developed a bypass for Windows PatchGuard that leverages Intel's Processor Trace (Intel PT) technology to execute code at the kernel.

NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed

Security experts, vendors, business and the NSA are developing a standardized language that rather than autonomously understands threats, acts on them.

Microsoft Extends Edge Bug Bounty Program Indefinitely

Microsoft said Wednesday it would extend its Edge bug bounty program indefinitely.

Trump’s Cybersecurity Executive Order Under Fire

Former ATT CSO, Ed Amoroso, says government needs to shift from talk to action when it comes to cybersecurity.

Honda Shut Down Plant Impacted by WannaCry

Carmaker Honda announced Wednesday that it was forced to shut down production at one of its Japanese plants earlier this week after it was hit by the WannaCry ransomware.

OpenVPN Patches Critical Remote Code Execution Vulnerability

OpenVPN patched four vulnerabilities privately disclosed by Dutch researcher Guido Vranken, including a critical issue that could lead to remote code execution.

Avaya Patches Remote Code Execution Flaw in Aura

Avaya released a patch last week for a remote code execution vulnerability in its Avaya Aura Application Enablement Services software.

TP-Link Fixes Code Execution Vulnerability in End-of-Life Routers

Router manufacturer TP-Link recently fixed a vulnerability in a discontinued line of routers that if exploited could have been used to execute code on the device.