Computer vulnerability of systems and software
Computer vulnerabilities are often confused with viruses or malware. Even if the boundary is sometimes blurred, it is important to better understand and distinguish these threats in order to effectively protect your systems.
All computer software have bugs. Most of these bugs are annoying, but they are hamless.
However, some bugs allow to read protected information, to modify data, or to disrupt the service. These bugs that have an impact on system security are called computer vulnerabilities, which require your vigilance.
For example, if the vulnerable software has not anticipated the case (i.e. if it is buggy), an attacker can use a path like "../../sensitive_file" to read this file. This software flaw therefore makes it possible to read protected information. Developers should have used canonical paths in this case.
Another example, if the vulnerable system has not foreseen it, a hacker can use a login with a syntax like "user1 \0 user2", in order to authenticate himself under another account. This computer vulnerability thus compromises data. In this case, developers should have filtered the forbidden characters.
Last example, if the vulnerable network protocol is not prepared, a hacker can send a request generating a very large response, in order to overload the network. This protocol error then disrupts the service. In this case, designers should have limited the size of unauthenticated responses.
In any case, we can see that these errors in the design or development of applications have an impact on security. These are vulnerabilities.
There are several formal definitions of a computer vulnerability.
The ANSSI glossary of terms uses: Fault, due to malice or clumsiness, in the specifications, design, construction, installation or configuration of a system, or in the way it is used.
EBIOS defines a vulnerability as a "Characteristic of a support asset that may constitute a weakness or flaw in terms of information system security".
Vulnerabilities are sometimes discovered by chance, when a developer notices an error in his code.
A user can also notice a malfunction and report it.
Most vulnerabilities are discovered by specialized researchers, who analyze the source code of software, or disassemble it.
They often use tools called fuzzers, sending random data, in order to trigger errors, which are an indication of a flaw.
Processes for reporting a computer vulnerability are quite varied.
Some people behave responsibly, contacting developers, waiting for the software to be fixed, and even waiting another delay so users have time to fix the vulnerability.
Other people benefit from their discovery, either by selling the information or by developing an attack tool.
As soon as technical details on the threat are available, specialized developers will create demonstrators or exploits.
A demonstrator is an attack tool, which proves the vulnerability, but has no harmful consequences.
An exploit is a tool to exploit a computer vulnerability. Depending on the type of vulnerability, it allows to read protected information, alter data, or deny the service.
The exploit can be integrated into a framework containing a set of tools to facilitate the tasks of hackers.
Over the years, software has become more complex. The number of vulnerabilities is therefore increasing, which requires your vigilance.
Currently, Vigil@nce publishes 3000 new bulletins per year, containing 7500 computer vulnerabilities.
The volume is such that a dedicated service of vulnerability watch is compulsory to be sure you don't forget any alert.
To protect an IT asset, administrators must deploy patches on all software.
First, the context has to be analyzed to decide what is the best solution, and with what urgency the alert should be handled.
Then there are several types of solutions.
A countermeasure is a temporary workaround, such as disabling the vulnerable feature if it is not used.
A source or binary patch minimally modifies the software to only fix the flaw.
A new version of the software usually fixes old vulnerabilities.
Deploying these patches is often not neutral, as it disables features, or creates side effects. Each solution must thus be carefully studied to minimize the impact.
This year, Vigil@nce published 7000 solutions, an average of more than two solutions for each vulnerability bulletin.
All software or systems are or will be vulnerable one day. For example, Windows 10 contains many flaws, as well as Ubuntu. Similarly, office software such as LibreOffice, services such as Samba, Juniper network devices, or Cisco phones contains vulnerabilities.
All these elements must be secured. When the computer equipment is complex, it represents a significant workload.
To identify vulnerabilities, the MITRE set up the CVE (Common Vulnerabilities and Exposures) repository, to associate an identifier to each vulnerability.
This reference, formated as CVE-YYYY-NNNN(N...), correlates information from different products and services.
For example, CVE-2019-15666 identifies a vulnerability in the Linux kernel.
The FIRST and CVSS-SIG propose the CVSS (Common Vulnerability Scoring System) method for rating vulnerabilities.
Depending on elements such as the access vector or the complexity of access, a basic metric is calculated. The temporal metric then varies according to available solutions and attacks. Finally, the environmental metric takes into account the IT system where the vulnerable product is located.
The CVSS score of a vulnerability is between 0 and 10 (critical). This numberis used to decide on the urgency of the treatment.
Our team provides you with vigilance to monitor vulnerabilities.
Every day, the Vigil@nce team publishes bulletins about public computer vulnerabilities and their solutions.
Users receive these alert bulletins by e-mail, depending on the defined frequency, format, and level of urgency.
In a dedicated web space, each user creates his own perimeters. A perimeter is a list of software and systems to be monitored.
Bulletins are then filtered according to perimeters chosen by each user.
Each user has a dedicated web account that can be customized according to their preferences.
Difference with a virus
A virus or malware is an external malicious code, which spreads as a result of an action by the recipient, such as the opening of a malicious document.
In some cases, a virus can use a vulnerability to replicate itself, or grant itself new privileges. In this case, a virus contains an exploit code.
A vulnerability is therefore intrinsic to the software, while the virus is an external malicious code.
An antivirus or antimalware software protects against a malicious code, but it does not fix vulnerable software.
An antivirus works as the last line of defense for a specific malware, while a patch definitively fixes a vulnerability.
Vulnerability monitoring and antivirus software are therefore complementary.
The Vigil@nce watch alerts you about system vulnerabilities and patches you need to deploy.