The difference between a vulnerability, an exploit, and an attack

by Volker Weber

Time for some bullshit detection and clue procurement.

Vulnerability: Somebody discovers a flaw in software. Typical flaws are unchecked variables. What is that? You write to memory, but what you write into memory does not fit into the assigned space. That creates an overflow "behind" the variable. The flaw is that the program does not check if the content fits the variable.

Exploit: Somebody creates a piece of code which uses the flaw to inject program code into memory which ultimately gets executed.

Attack: Somebody builds an exploit which ultimately does something bad to your computer. We call this malware, as in malicious software.

When news outlets fall over themselves to report that a billion Android phones are now in grave danger, they forget that knowing of a vulnerability does not necessarily enable you to build an exploit. And having an exploit does not enable you to launch an attack. Ideas are cheap, execution is hard. An idea does not lead to profit, as shown here:

Step 1: Idea
Step 2: ?
Step 3: Profit

Example? Imagine you want to attack all Android phones. They are not alike. A PRIV/DTEK50 for instance defends much better against two typical exploits: buffer overflow, the example I used to explain vulnerability, and rights elevation. Your exploit which works on an LG might not work on BlackBerry. Actually, it probably won't.

ZZ4DD12489
Source: imgur

Now assume that somebody was able to create an attack against PRIV/DTEK50 and is actively deploying this weapon. That's where the hotfix comes in. BlackBerry has secured a way to distribute hotfixes at will. Like: now. Withiut waiting for Google or for a carrier. They did not have to do that ever since the PRIV came out.

Keep calm and carry on. And ditch those Android devices that never get fixes for vulnerabilities. They are the ones that will be attacked.

Comments

And yet I still have my doubts about that gif. That might work for a handful of highly trained professionals who train their reactions almost every day. For everyone else an attempt to replicate this manoeuvre will end in almost certain death.

Armin Grewe, 2016-08-11 07:42

Not all adversaries are the same. Exactly what I am trying to say.

Volker Weber, 2016-08-11 09:02

Recent comments

Heiko Wolf on Alexa, do. Not. Panic. at 23:16
Armin Grewe on Alexa, do. Not. Panic. at 22:10
Volker Weber on Echo Show :: First Impressions at 20:06
Peter Meuser on Echo Show :: First Impressions at 19:18
Stephan Bohr on Fünf Bücher, die Bill Gates liest at 18:24
Volker Weber on Wyze Cam v2 at 17:55
Samuel Orsenne on Wyze Cam v2 at 17:33
Maikel Maes on Marshall updates the Major at 14:01
Mark Haust on Oberfläche at 10:07
Sami Bahri on Alexa, do. Not. Panic. at 09:39
Volker Weber on Plantronics 6200 UC :: Erste Eindrücke at 05:56
Stephan H. Wissel on Plantronics 6200 UC :: Erste Eindrücke at 23:00
Bill Mayer on Alexa, do. Not. Panic. at 20:16
Bill Mayer on Echo Show :: First Impressions at 19:52
Stefan Dorscht on Plantronics 6200 UC :: Erste Eindrücke at 17:10
Volker Weber on Plantronics 6200 UC :: Erste Eindrücke at 15:10
Enrico Lippmann on Alexa, do. Not. Panic. at 14:42
Bastian Neumann on Plantronics 6200 UC :: Erste Eindrücke at 14:13
Jörg Hermann on Oberfläche at 22:54
Christian Tillmanns on Oberfläche at 21:22
Ragnar Schierholz on Oberfläche at 20:10
Kai Schmalenbach on Oberfläche at 19:01
Markus Dierker on Echo Show :: First Impressions at 18:59
Philipp Ringler on Oberfläche at 17:31
Volker Weber on Echo Show :: First Impressions at 16:52

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter amazon

Local time is 05:14

visitors.gif

buy me coffee