3.1 C
London
Sunday, November 19, 2017
Home Tags Vulnerability

Tag: Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.

Cisco has updated its IOS XE software to address a denial of service vulnerability in its implementation of BGP over an Ethernet VPN.
An adware-laden phony WhatsApp download has been removed from Google Play and the developer’s account suspended, but not before it was downloaded one million times.
Enterprises are grappling with widespread incidents of misconfigured servers leaking sensitive data to the public internet.
The Tor Project released a patch for a vulnerability that leaks the real IP addresses of macOS and Linux users of its Tor Browser.
Zeus Panda, a banking Trojan designed to steal credentials, is being distributed via poisoned Google search results.
Threatpost editors Mike Mimoso and Tom Spring discuss the week's top information security news stories.
Siemens has fixed a remotely executable vulnerability in some versions of its SIMATIC PCS 7 distributed control system, and said that it is working on a fix for remaining affected versions.
Researcher Troy Hunt discovers as far as the internet has come in adopting HTTPS, it still has a ways to go.
Researchers from MWR Labs used 11 vulnerabilities across six different mobile applications to execute code on a Samsung Galaxy S8 at Mobile Pwn2Own.
The ONI ransomware attacks targeting organizations in Japan are also dropping wiper malware which is being used to delete logs and cover the attackers' tracks.
A bug exploitable in WordPress 4.8.2 and earlier creates unexpected and unsafe conditions ripe for a SQL-injection attack.
A cybercrime outfit stealing from as many as 10 banks in Russia, Armenia and Malaysia has borrowed heavily from one of the kingpins in this realm, Carbanak.