The difference between a vulnerability, an exploit, and an attack

by Volker Weber

Time for some bullshit detection and clue procurement.

Vulnerability: Somebody discovers a flaw in software. Typical flaws are unchecked variables. What is that? You write to memory, but what you write into memory does not fit into the assigned space. That creates an overflow "behind" the variable. The flaw is that the program does not check if the content fits the variable.

Exploit: Somebody creates a piece of code which uses the flaw to inject program code into memory which ultimately gets executed.

Attack: Somebody builds an exploit which ultimately does something bad to your computer. We call this malware, as in malicious software.

When news outlets fall over themselves to report that a billion Android phones are now in grave danger, they forget that knowing of a vulnerability does not necessarily enable you to build an exploit. And having an exploit does not enable you to launch an attack. Ideas are cheap, execution is hard. An idea does not lead to profit, as shown here:

Step 1: Idea
Step 2: ?
Step 3: Profit

Example? Imagine you want to attack all Android phones. They are not alike. A PRIV/DTEK50 for instance defends much better against two typical exploits: buffer overflow, the example I used to explain vulnerability, and rights elevation. Your exploit which works on an LG might not work on BlackBerry. Actually, it probably won't.

Source: imgur

Now assume that somebody was able to create an attack against PRIV/DTEK50 and is actively deploying this weapon. That's where the hotfix comes in. BlackBerry has secured a way to distribute hotfixes at will. Like: now. Withiut waiting for Google or for a carrier. They did not have to do that ever since the PRIV came out.

Keep calm and carry on. And ditch those Android devices that never get fixes for vulnerabilities. They are the ones that will be attacked.


And yet I still have my doubts about that gif. That might work for a handful of highly trained professionals who train their reactions almost every day. For everyone else an attempt to replicate this manoeuvre will end in almost certain death.

Armin Grewe, 2016-08-11

Not all adversaries are the same. Exactly what I am trying to say.

Volker Weber, 2016-08-11

Old archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe