Home Tags Vulnerability

Tag: Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Security community takes a critical look at CTS-Labs' disclosure of vulnerabilities in AMD vulnerabilities found in EPYC servers, Ryzen workstationsm and Ryzen mobile offerings.
An Iran-linked group is linked to a massive spear phishing campaign that sends malicious Word Docs to victims in Asia and the Middle East.
Researchers highlight a privately held traffic distribution system tool for malware called BlackTDS that lowers the bar to entry for threat actors.
Researchers shed light on a newly discovered family of point of sale malware that is extremely small in size and adept at siphoning credit card numbers from POS endpoints.
Products receiving the most patches included Microsoft browsers and browser-related technologies such as the company’s JavaScript engine Chakra.
Researchers on Tuesday disclosed over a dozen critical security vulnerabilities in several AMD chips, opening them up for attackers who want to steal sensitive data and install malware on AMD servers, workstations and laptops.
Samba released fixes for its networking software to address two critical vulnerabilities that allowed attackers to change admin password or launch DoS attacks.
Cyber espionage group APT15 is back, this time stealing sensitive data from a UK government contractor.
At the Security Analyst Summit this year in Cancun, FireEye's Marina Krotofil talks about the Triton malware, first disclosed in December 2017, that targets industrial control systems.
As investigations continue about the backdoor that was planted in CCleaner, Avast said it has found that the actors behind the attack were planning to install a third round of malware on compromised computers.
Researchers have uncovered a new cyber-espionage threat that uses MikroTik routers as a springboard to launch attacks within a network.
A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.