|22 Apr 2010||#1|
| || |
Vulnerabilities vs. attack vectors...
During our daily work analysing vulnerabilities in-depth, we come across cases on a regular basis where a single vulnerability with multiple attack vectors is being reported as separate vulnerabilities. To quickly cover our definitions of the terms: A "vulnerability" is a specific problem in the code having a security impact while an "attack vector" is a way of triggering / reaching the vulnerability.
There may be a number of reasons why we see different attack vectors being reported as separate vulnerabilities. Perhaps it's because it may take a lot of time and skill to fully understand some vulnerabilities, making it faster and/or easier to just report something as multiple vulnerabilities without determining anything else than that there is "memory corruption"; an increasingly popular term.
As an example: Not that long ago, we did a quick test run of an internally developed fuzzer by pegging it against a product from Adobe Systems. Overnight, the fuzzer generated 400+ crash reports. Out of those crashes, about 80 of them occurred due to "memory corruption"; as half of these were triggered by manipulating different fields, this could mean that our fuzzer had found about 40 separate vulnerabilities. However, after properly analysing each crash, they all turned out to be caused by just four different vulnerabilities (having a large number of attack vectors).
Vulnerabilities vs. attack vectors... - Blog - Blog & News - Company
|My System Specs|
|Similar help and support threads for2: Vulnerabilities vs. attack vectors...|
|DDoS Attack, Changed IPs Still Under Attack||System Security|
|Top 10 vulnerabilities list||Security News|
|Kaspersky: 12 different vulnerabilities detected on every PC||Security News|
|New Windows kernel mode flaw points to future attack vectors||News|
|Seven myths about zero day vulnerabilities debunked||Security News|
|Internet Explorer has Three Vulnerabilities||News|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 03:50 AM.