Software vulnerabilities

The term ‘vulnerability’ is often mentioned in connection with computer security, in many different contexts.

In its broadest sense, the term ‘vulnerability’ is associated with some violation of a security policy. This may be due to weak security rules, or it may be that there is a problem within the software itself. In theory, all computer systems have vulnerabilities; whether or not they are serious depends on whether or not they are used to cause damage to the system.

There have been many attempts to clearly define the term ‘vulnerability’ and to separate the two meanings. MITRE, a US federally funded research and development group, focuses on analysing and solving critical security issues. The group has produced the following definitions:

According to MITRE’s CVE Terminology:

[…] A universal vulnerability is a state in a computing system (or set of systems) which either:

allows an attacker to execute commands as another user
allows an attacker to access data that is contrary to the specified access restrictions for that data
allows an attacker to pose as another entity
allows an attacker to conduct a denial of service
MITRE believes that when an attack is made possible by a weak or inappropriate security policy, this is better described as ‘exposure’:

An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:

  • allows an attacker to conduct information gathering activities
  • allows an attacker to hide activities
  • includes a capability that behaves as expected, but can be easily compromised
  • is a primary point of entry that an attacker may attempt to use to gain access to the system or data is considered a problem according to some reasonable security policy
  • When trying to gain unauthorized access to a system, an intruder usually first conducts a routine scan (or investigation) of the target, collects any ‘exposed’ data, and then exploits security policy weaknesses or vulnerabilities. Vulnerabilities and exposures are therefore both important points to check when securing a system against unauthorized access.
backdoors-in-d-links-backyard

Backdoors in D-Link’s backyard

If you want to make the world safer, start with the smart things in your home. Or, to be more specific, start with your router – the core of any home network as well as an interesting research object. And that router you got from your ISP as part of your internet contract is even more interesting when it comes to research. Read Full Article

it-threat-evolution-q1-2018

IT threat evolution Q1 2018

In January, we uncovered a sophisticated mobile implant Skygofree that provides attackers with remote control of infected Android devices. Network worm OlympicDestroyer attacked on the Olympic infrastructure just before the opening of the games in February. Read Full Article

apt-trends-report-q1-2018

APT Trends report Q1 2018

In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018. Read Full Article

threat-landscape-for-industrial-automation-systems-in-h2-2017

Threat Landscape for Industrial Automation Systems in H2 2017

Kaspersky Lab ICS CERT publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. The main objective of these publications is to provide information support to incident response teams, enterprise information security staff and researchers in the area of industrial facility security. Read Full Article