Security 101: Vulnerabilities, Part 1

Welcome back to Security 101.

The topic of today’s blog is vulnerabilities. In our frequent McAfee Labs Threat Advisories you see the term vulnerability in almost every item. “A vulnerability has been found…” or “A vulnerability in some versions of…” are commonplace. What is a vulnerability?

A vulnerability is a program bug that under certain circumstances makes the program behave incorrectly. Vulnerabilities are certain types of bugs that allow other people (usually attackers) to take advantage of them to abuse the program.

A useful analogy is to compare a system with a building. The operating system (OS) is the structure, giving support and foundation to the system, and the applications are the building’s rooms or the rooms contents. In this analogy, the users are the inhabitants of the building.

Each room in a building has a door, the communications channel between an application and the OS. Some even have windows, which allow programs to communicate with the exterior or the environment, as Internet browsers or email clients.

A vulnerability is a flaw in the structure of the room—a door or window that shouldn’t exist, or a hole in the wall. This flaw could allow strangers to infiltrate the building, or to leave packages that could damage the building. That is why, for a system to be secure, the number of vulnerabilities must as few as possible because they are the entrance points for intruders and malware.

Not all vulnerabilities are equal. There are different kinds, with different effects, but all of them fall in one of two categories: local or remote. A local vulnerability is one that requires the intruder to have physical access to the machine, to the hardware itself, either with his or her own credentials or with stolen ones. For our analogy, this intruder must be an inhabitant of the building or must impersonate one.

A remote vulnerability, on the other hand, does not require the intruder to be present. It is enough for an attacker to send to the system a malicious file, a package with a very nasty surprise. This is why a remote vulnerability is always more dangerous than a local one.

We also classify vulnerabilities by risk level: high, medium, or low risk. Risk depends a lot on the criteria used by each person; at McAfee we define risks to make it clear to our customers what they should expect. Today we will look at only high-risk vulnerabilities; next time we will examine medium- and low-risk flaws.

High-Risk Vulnerabilities:

  • Remote Code Execution (RCE): The most risky vulnerability, RCE, when fully exploited, allows an attacker to take full control of the vulnerable system. It would be like putting a robot inside the flawed room that could do anything the attacker wanted, even affect other rooms or the structure itself. Some of the most dangerous malware needs this kind of vulnerability to work, because the flaw allows the malware to run without alerting the users. If a security patch covers this, it usually means the risk is great. It’s best to heed the warning.
  • Denial of Service (DoS): Another high-risk vulnerability, a DoS can freeze or crash the vulnerable program, or even the hardware itself in the worst cases. In this case the room’s door and windows are completely blocked, isolating the room from the building or the exterior. If the flaw is in the building itself, then the whole structure is cut off. Attacks by the Anonymous Group were examples of exploited DoS vulnerabilities. It is not difficult to imagine the chaos if the structure under attack is a router, server, or any other network infrastructure. A DoS vulnerability can vary in seriousness; it depends on which room is blocked. A closet could be less important than a bathroom or a meeting room.

 

To see examples of these vulnerabilities, take a look at our McAfee Security Awareness Community, where we post all of our Threat Advisories.

Next: Part 2: Medium- and Low-Risk Vulnerabilities