Windows 7: Vulnerabilities vs. attack vectors...

During our daily work analysing vulnerabilities in-depth, we come across cases on a regular basis where a single vulnerability with multiple attack vectors is being reported as separate vulnerabilities. To quickly cover our definitions of the terms: A "vulnerability" is a specific problem in the code having a security impact while an "attack vector" is a way of triggering / reaching the vulnerability.

There may be a number of reasons why we see different attack vectors being reported as separate vulnerabilities. Perhaps it's because it may take a lot of time and skill to fully understand some vulnerabilities, making it faster and/or easier to just report something as multiple vulnerabilities without determining anything else than that there is "memory corruption"; an increasingly popular term.

As an example: Not that long ago, we did a quick test run of an internally developed fuzzer by pegging it against a product from Adobe Systems. Overnight, the fuzzer generated 400+ crash reports. Out of those crashes, about 80 of them occurred due to "memory corruption"; as half of these were triggered by manipulating different fields, this could mean that our fuzzer had found about 40 separate vulnerabilities. However, after properly analysing each crash, they all turned out to be caused by just four different vulnerabilities (having a large number of attack vectors).