Wednesday, December 13, 2017
Home Tags Vulnerability

Tag: Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Microsoft patched 34 vulnerabilities in all on Tuesday with most of the bugs impacting Microsoft Edge, Microsoft Office and Microsoft’s Scripting Engine.
A ransomware campaign targeting the Balkans comes with a 96-hour deadline and includes a link to a video that assures victims payments can be made easily.
Researchers are warning of a default-configuration vulnerability in the enterprise-class keyless entry products made by AMAG Technology.
HP released an update that fixes debugger code that could allow an attacker to use a Synaptics Touchpad driver as a keylogger.
An Android vulnerability called Janus allows attackers to inject malicious code into signed Android apps.
Apple said it has fixed an undisclosed vulnerability in its HomeKit framework that could have allowed unauthorized remote control of HomeKit devices such as smart locks and connected garage door openers.
Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile banking apps that left customers vulnerable to man-in-the-middle attacks.
As part of its December Android and Pixel/Nexus security updates, Google has issued patches addressing a bevy of flaws, 11 of which are rated critical.
TeamViewer says it has issued a hotfix to address a bug that allows users sharing a desktop session to gain control of the other’s computer without permission.
A proof of concept attack developed by researchers target users of the development platforms for Android and Java.
Google beefs up privacy protections on apps distributed via third-party Android marketplaces and Google Play that that collect personal data without user consent.
Researchers have found a variant of Ursnif Trojan they said is a “v3 build” that targets Australian bank customers with new redirection attack techniques.