Vulnerability (computing)

A vulnerability is in the field of information security is an error in a software through which a program with malicious action (malware) or an attacker can penetrate into a computer system.

Emergence of vulnerabilities

A vulnerability is a threat to the security of a computer system dar. There is a risk that the vulnerability exploited and the affected computer system may be compromised. Vulnerabilities include those due to inadequate protection of a computer against attacks from the network ( for example, lack of firewall or other security software ) and by programming errors in the operating system, browser, or other software applications that run on the system.

Breaches can occur in the development process, where safety aspects in the planning, design and development are neglected and safety requirements are not sufficiently taken into account, eg as quality objectives. Furthermore, vulnerabilities of errors that may arise due to the complexity of software systems during the development process result. Rough estimates show that a programmer per 1000 lines of code generates an error, which corresponds to a frequency of errors per thousand; with 1,000,000 rows so about 1000 errors are to be expected. If not all errors are found in the alpha - and beta- process, produces a defective product.

Many errors are never discovered because the error level is low or the impact would produce damage only by prolonged duration of the program. Such a simple error when it detects that you make are documented and corrected later in highly complex programs. This is not only for cost reasons, but also because, as any change necessary to remedy the program code in turn can be a source of new errors. However, some errors generate serious security vulnerabilities without this immediately leads to a complete crash.

Such vulnerabilities are symptomatic of programs, which were written in programming languages, which are optimized in terms of performance, for example (such as C or assembler ) and are prone to error due to their programming model (keyword: pointer arithmetic ). Due to the spread of such programming languages, the high time pressure in software production, coupled with the pronounced cost printing software producer companies and the less sensitive approach to the issue secure software vulnerabilities are the rule rather than the exception.

A frequently mentioned problem are mainly software offers hardware manufacturers about their products, which often only for marketing reasons with certain products be accompanied ( compare video editing software for camcorders ). Through cost-effective development and thereby poor programming a wide variety of bugs and security holes are created that relate primarily to the home user area. To make matters worse, that hardware companies are often not specialized in the development of application software, a development contracts to foreign companies and thus can check the product quality also no longer easily yourself. Second, the foreign companies are not even specialize in certain circumstances on the development of special software. These factors lead to ever new, error- loaded software comes on the market is that instead of old software developed and improved.

Some massive problems and errors could be today easily avoided if instead of the very low-level languages ​​that allow direct addressing of memory areas programming languages ​​such as Modula-2, Eiffel, Oberon and Component Pascal, would be used in the versions each corresponding; proven operating systems and drivers can thus also be written very efficient.

Exploit vulnerabilities

This bug may allow an attacker, for example with an exploit in a computer system to penetrate and to execute commands that can harm. One of the most common mistakes, which is used to break into computer systems, the buffer overflow. Lack or even failure to check the copied data set will overwrite other parts of the program, which is used by attackers targeted to change the program or the introduction of foreign parts of the program.

Dealing with security issues

In so-called closed-source applications, it is the manufacturer of the program the task to fix the vulnerability by a patch or the provision of a new, error-corrected version. The cleanup is not mandatory and can be omitted if, for example, Support the cycle has expired for the product or the manufacturer, the vulnerability does not recognize as such, and no need for action lies.

With an open source and free software there are often multiple developers (mostly those who have long been involved in this program ), scattered throughout the world, write a patch for it, as soon as the error was discovered and published. Particularly in large open source projects, such as Linux, there is usually shortly after the discovery of the gap patches to fix them.

Examples

Examples can be found in the category: Vulnerability.