Thursday, January 18, 2018
Home Tags Vulnerability

Tag: Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Microsoft is pausing the rollout of Windows Meltdown and Spectre patches until hosted anti-virus software vendors confirms no unsupported Windows kernel calls via the addition of a registry key on PCs.
Apple releases patches addressing the Spectre vulnerability impacting its macOS, iPhone, iPad and iPod touch.
The U.S.

Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points.
Mitigating Spectre and Meltdown flaws won't be easy, but experts say exploits targeting Spectre will be hard to patch against.
Google removed 22 malicious adware apps ranging from flashlights, call recorders to wifi signal boosters that together were downloaded up to 7.5 million times from the Google Play marketplace.
Intel, Amazon, ARM, Microsoft and others have shared patch updates to keep customers informed on their mitigation efforts to protect against the far reaching Spectre and Meltdown vulnerabilities impacting computers, servers and mobile devices worldwide. 
Intel is grappling with a processor design flaw impacting CPUs used in Linux, Windows and some macOS systems.
A researcher with the Twitter handle ‘Siguza’ published details of a macOS local privilege escalation vulnerability dating back to 2002 that could give an attacker root access to systems.
VMware released three patches fixing critical vulnerabilities affecting its vSphere cloud computing virtualization platform.
Fashion retailer updates disclosure on 2017 attack, says hackers targeted point-of-sale terminals that used no encryption.
Researchers warn of copycat type attacks as exploit code used in Mirai variant goes public.
Ancestry.com closes parts of its community-driven genealogy site RootsWeb as it investigates a leaky server that exposed thousands of passwords, email addresses and usernames to the public internet.