The difference between a vulnerability, an exploit, and an attack

by Volker Weber

Time for some bullshit detection and clue procurement.

Vulnerability: Somebody discovers a flaw in software. Typical flaws are unchecked variables. What is that? You write to memory, but what you write into memory does not fit into the assigned space. That creates an overflow "behind" the variable. The flaw is that the program does not check if the content fits the variable.

Exploit: Somebody creates a piece of code which uses the flaw to inject program code into memory which ultimately gets executed.

Attack: Somebody builds an exploit which ultimately does something bad to your computer. We call this malware, as in malicious software.

When news outlets fall over themselves to report that a billion Android phones are now in grave danger, they forget that knowing of a vulnerability does not necessarily enable you to build an exploit. And having an exploit does not enable you to launch an attack. Ideas are cheap, execution is hard. An idea does not lead to profit, as shown here:

Step 1: Idea
Step 2: ?
Step 3: Profit

Example? Imagine you want to attack all Android phones. They are not alike. A PRIV/DTEK50 for instance defends much better against two typical exploits: buffer overflow, the example I used to explain vulnerability, and rights elevation. Your exploit which works on an LG might not work on BlackBerry. Actually, it probably won't.

ZZ4DD12489
Source: imgur

Now assume that somebody was able to create an attack against PRIV/DTEK50 and is actively deploying this weapon. That's where the hotfix comes in. BlackBerry has secured a way to distribute hotfixes at will. Like: now. Withiut waiting for Google or for a carrier. They did not have to do that ever since the PRIV came out.

Keep calm and carry on. And ditch those Android devices that never get fixes for vulnerabilities. They are the ones that will be attacked.

Comments

And yet I still have my doubts about that gif. That might work for a handful of highly trained professionals who train their reactions almost every day. For everyone else an attempt to replicate this manoeuvre will end in almost certain death.

Armin Grewe, 2016-08-11

Not all adversaries are the same. Exactly what I am trying to say.

Volker Weber, 2016-08-11

Recent comments

John Keys on Demnächst in diesem Theater :: Surface Go at 23:40
Johannes Koch on Android Enterprise Security Whitepaper at 22:05
Patric Stiffel on Demnächst in diesem Theater :: Surface Go at 22:00
Andy Mell on Just a silly wishlist for the next Macbook at 19:08
Klaus Iwik on Just a silly wishlist for the next Macbook at 19:06
Jörg Michael on Just a silly wishlist for the next Macbook at 18:52
John Curtis on #dominoforever :: Observations from the event at 18:12
Volker Weber on Just a silly wishlist for the next Macbook at 17:57
Stephan Perthes on Just a silly wishlist for the next Macbook at 17:47
Volker Weber on Just a silly wishlist for the next Macbook at 17:22
Richard Albury on Just a silly wishlist for the next Macbook at 16:52
Thorsten Köbe on Just a silly wishlist for the next Macbook at 16:44
Jörg Hermann on Just a silly wishlist for the next Macbook at 15:46
Nick Daisley on Just a silly wishlist for the next Macbook at 15:21
Volker Weber on Just a silly wishlist for the next Macbook at 14:36
Adrian Thomas on Just a silly wishlist for the next Macbook at 14:35
Volker Weber on Just a silly wishlist for the next Macbook at 14:01
Markus Dierker on Just a silly wishlist for the next Macbook at 13:53
Sascha Westphal on Want at 13:36
Oliver Stör on Just a silly wishlist for the next Macbook at 13:36
Oliver Simon on Just a silly wishlist for the next Macbook at 13:12
Thorsten Köbe on Demnächst in diesem Theater :: Surface Go at 13:04
Thorsten Köbe on Just a silly wishlist for the next Macbook at 12:58
Stephan Perthes on Just a silly wishlist for the next Macbook at 12:40
Oliver Busse on Just a silly wishlist for the next Macbook at 12:28

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 01:04

visitors.gif

buy me coffee