3.1 C
London
Sunday, November 19, 2017
Home Tags Vulnerability

Tag: Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows scripting tool called AutoIt to reduces the likelihood of antivirus software detection.
Threatpost editors Mike Mimoso and Tom Spring discuss the week's information security news.
Developers using the Twilio platform to build enterprise mobile communications apps have put call and text data at risk for exposure.
Microsoft published guidance for Windows admins on how to safely disable Dynamic Data Exchange (DDE) fields in Office that are being used to spread malware in email-based attacks.
Security experts Charlie Miller and Chris Valasek, contemplate the larger universe of the Internet of things and security.
Between $150 million and $300 million in digital currency called ether remains inaccessible today after a user said he “accidentally” triggered a vulnerability that froze the funds in the popular Parity wallet.
Google this week finally addressed the KRACK vulnerability in Android, three weeks after the WPA2 protocol flaw was publicly disclosed.
Questions brew over whether Mantistek GK2 Mechanical Gaming Keyboard is snooping on users as they type.
The FBI cannot access a cellphone belonging to the dead suspect in Sunday’s Texas shooting, a situation that could reignite the government’s debate over encryption.
Academic researchers size up weaknesses in the the code-signing Public Key Infrastructure and highlight three types of flaws.
Trustwave discloses an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed.
Weak cryptography in the IEEE P1735 electronics standard allow attackers to recover valuable intellectual property in plaintext from SoCs and integrated circuits.