The difference between a vulnerability, an exploit, and an attack

by Volker Weber

Time for some bullshit detection and clue procurement.

Vulnerability: Somebody discovers a flaw in software. Typical flaws are unchecked variables. What is that? You write to memory, but what you write into memory does not fit into the assigned space. That creates an overflow "behind" the variable. The flaw is that the program does not check if the content fits the variable.

Exploit: Somebody creates a piece of code which uses the flaw to inject program code into memory which ultimately gets executed.

Attack: Somebody builds an exploit which ultimately does something bad to your computer. We call this malware, as in malicious software.

When news outlets fall over themselves to report that a billion Android phones are now in grave danger, they forget that knowing of a vulnerability does not necessarily enable you to build an exploit. And having an exploit does not enable you to launch an attack. Ideas are cheap, execution is hard. An idea does not lead to profit, as shown here:

Step 1: Idea
Step 2: ?
Step 3: Profit

Example? Imagine you want to attack all Android phones. They are not alike. A PRIV/DTEK50 for instance defends much better against two typical exploits: buffer overflow, the example I used to explain vulnerability, and rights elevation. Your exploit which works on an LG might not work on BlackBerry. Actually, it probably won't.

ZZ4DD12489
Source: imgur

Now assume that somebody was able to create an attack against PRIV/DTEK50 and is actively deploying this weapon. That's where the hotfix comes in. BlackBerry has secured a way to distribute hotfixes at will. Like: now. Withiut waiting for Google or for a carrier. They did not have to do that ever since the PRIV came out.

Keep calm and carry on. And ditch those Android devices that never get fixes for vulnerabilities. They are the ones that will be attacked.

Comments

And yet I still have my doubts about that gif. That might work for a handful of highly trained professionals who train their reactions almost every day. For everyone else an attempt to replicate this manoeuvre will end in almost certain death.

Armin Grewe, 2016-08-11

Not all adversaries are the same. Exactly what I am trying to say.

Volker Weber, 2016-08-11

Recent comments

Gabriel Schneider on Apple Smart Battery Cases at 23:45
Martin Hiegl on Nothing beats experience at 22:23
Rolf-Thore Johansen on IBM beerdigt Watson Workspace at 21:53
Volker Weber on Nothing beats experience at 22:30
Lucius Bobikiewicz on Nothing beats experience at 21:05
Ben Langhinrichs on Nothing beats experience at 21:00
Volker Weber on Nothing beats experience at 20:28
Nils Michael Becker on Nothing beats experience at 19:43
Bernd Hofmann on So kontrolliere ich mein Gewicht at 19:07
Nina Wittich on Nothing beats experience at 17:34
Volker Weber on Nothing beats experience at 16:13
Armin Grewe on Nothing beats experience at 16:01
Craig Wiseman on Nothing beats experience at 15:56
Ingo Harpel on Nothing beats experience at 15:51
Volker Weber on Nothing beats experience at 15:32
Armin Grewe on Nothing beats experience at 15:03
Hynek Kobelka on Nothing beats experience at 14:43
Karl Heindel on Nothing beats experience at 14:41
Stephan H. Wissel on Second week of 2019 is in #dontbreakthechain at 14:17
Andrew Magerman on Nothing beats experience at 14:07
Volker Weber on Nothing beats experience at 13:53
Johann Görken on Nothing beats experience at 13:40
Volker Weber on Nothing beats experience at 13:32
Anton Seissl on Second week of 2019 is in #dontbreakthechain at 13:29
Christian Rosner on Nothing beats experience at 13:27

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 04:23

visitors.gif

buy me coffee

Paypal vowe