The difference between a vulnerability, an exploit, and an attack

by Volker Weber

Time for some bullshit detection and clue procurement.

Vulnerability: Somebody discovers a flaw in software. Typical flaws are unchecked variables. What is that? You write to memory, but what you write into memory does not fit into the assigned space. That creates an overflow "behind" the variable. The flaw is that the program does not check if the content fits the variable.

Exploit: Somebody creates a piece of code which uses the flaw to inject program code into memory which ultimately gets executed.

Attack: Somebody builds an exploit which ultimately does something bad to your computer. We call this malware, as in malicious software.

When news outlets fall over themselves to report that a billion Android phones are now in grave danger, they forget that knowing of a vulnerability does not necessarily enable you to build an exploit. And having an exploit does not enable you to launch an attack. Ideas are cheap, execution is hard. An idea does not lead to profit, as shown here:

Step 1: Idea
Step 2: ?
Step 3: Profit

Example? Imagine you want to attack all Android phones. They are not alike. A PRIV/DTEK50 for instance defends much better against two typical exploits: buffer overflow, the example I used to explain vulnerability, and rights elevation. Your exploit which works on an LG might not work on BlackBerry. Actually, it probably won't.

ZZ4DD12489
Source: imgur

Now assume that somebody was able to create an attack against PRIV/DTEK50 and is actively deploying this weapon. That's where the hotfix comes in. BlackBerry has secured a way to distribute hotfixes at will. Like: now. Withiut waiting for Google or for a carrier. They did not have to do that ever since the PRIV came out.

Keep calm and carry on. And ditch those Android devices that never get fixes for vulnerabilities. They are the ones that will be attacked.

Comments

And yet I still have my doubts about that gif. That might work for a handful of highly trained professionals who train their reactions almost every day. For everyone else an attempt to replicate this manoeuvre will end in almost certain death.

Armin Grewe, 2016-08-11 07:42

Not all adversaries are the same. Exactly what I am trying to say.

Volker Weber, 2016-08-11 09:02

Recent comments

Nick Coenen on Ferrari Evolution at 13:16
Andreas Fischer on Your favorite messenger at 08:58
Peter Meuser on Microsoft Tech Summit: Ab in die Wolke at 08:41
Volker Weber on Microsoft Tech Summit: Ab in die Wolke at 21:37
Florian Vogler on Microsoft Tech Summit: Ab in die Wolke at 20:35
Alan Lepofsky on Attending IBM think 2018 at 14:08
Andy Mell on Android Enterprise Recommended at 12:28
Martin Kautz on Om Malik :: The #1 reason Facebook won’t ever change at 11:27
Viktor Dexheimer on Ferrari Evolution at 05:18
Richard Moy on Om Malik :: The #1 reason Facebook won’t ever change at 22:06
Kristian Raue on Concept Zero :: Echo Dot auf Steckdose montieren at 22:01
Armin Grewe on Android Enterprise Recommended at 21:02
Jean-Marc Autexier on Android Enterprise Recommended at 20:49
Volker Weber on Quo vadis IBM Connections? at 20:41
Samuel Orsenne on Ferrari Evolution at 12:38
Volker Weber on Android Enterprise Recommended at 11:21
Kai Nehm on Android Enterprise Recommended at 11:16
Stephan Wissel on Android Enterprise Recommended at 10:57
Karl Heindel on Ferrari Evolution at 21:21
Thomas Langel on Ferrari Evolution at 14:23
Maik Endler on udoq :: Das Ding des Jahres at 13:51
Karl Heindel on Ferrari Evolution at 10:39
Sven Bühler on Ferrari Evolution at 23:53
Abdelkader Boui on Concept Zero :: Echo Dot auf Steckdose montieren at 18:37
Volker Weber on udoq :: Das Ding des Jahres at 17:17

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter

Local time is 14:47

visitors.gif