Vulnerability refers to the inability (of a system or a unit) to withstand the effects of a hostile environment. A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, compromised or lacking.
The understanding of social and environmental vulnerability, as a methodological approach, involves the analysis of the risks and assets of disadvantaged groups, such as the elderly. The approach of vulnerability in itself brings great expectations of social policy and gerontological planning.
In relation to hazards and disasters, vulnerability is a concept that links the relationship that people have with their environment to social forces and institutions and the cultural values that sustain and contest them. “The concept of vulnerability expresses the multi-dimensionality of disasters by focusing attention on the totality of relationships in a given social situation which constitute a condition that, in combination with environmental forces, produces a disaster”.
It is also the extent to which changes could harm a system, or to which the community can be affected by the impact of a hazard or exposed to the possibility of being attacked or harmed, either physically or emotionally: "we were in a vulnerable position".
Within the body of literature related to vulnerability, major research streams include questions of methodology, such as: measuring and assessing vulnerability, including finding appropriate indicators for various aspects of vulnerability, up- and down scaling methods, and participatory methods. Vulnerability research covers a complex, multidisciplinary field including development and poverty studies, public health, climate studies, security studies, engineering, geography, political ecology, and disaster risk management . This research is of importance and interest for organizations trying to reduce vulnerability – especially as related to poverty and other Millennium Development Goals. Many institutions are conducting interdisciplinary research on vulnerability. A forum that brings many of the current researchers on vulnerability together is the Expert Working Group (EWG). Researchers are currently working to refine definitions of “vulnerability”, measurement and assessment methods, and effective communication of research to decision makers.
In its sense, social vulnerability is one dimension of vulnerability to multiple stressors (agent responsible for stress) and shocks, including abuse, social exclusion and natural hazards. Social vulnerability refers to the inability of people, organizations, and societies to withstand adverse impacts from multiple stressors to which they are exposed. These impacts are due in part to characteristics inherent in social interactions, institutions, and systems of cultural values.
In this respect, there is a need to place an increased emphasis on assets and entitlements for understanding ‘catastrophe’ as opposed to solely the strength or severity of shocks.
A cognitive vulnerability, in cognitive psychology, is an erroneous belief, cognitive bias, or pattern of thought that is believed to predispose the individual to psychological problems. It is in place before the symptoms of psychological disorders start to appear, such as high neuroticism, and after the individual encounters a stressful experience, the cognitive vulnerability shapes a maladaptive response that may lead to a psychological disorder. In psychopathology, cognitive vulnerability is constructed from schema models, hopelessness models, and attachment theory. Attentional bias is one mechanism leading to faulty cognitive bias that leads to cognitive vulnerability. Allocating a danger level to a threat depends on the urgency or intensity of the threshold. Anxiety is not associated with selective orientation.
In military terminology, vulnerability is a subset of survivability, the others being susceptibility and recoverability. Vulnerability is defined in various ways depending on the nation and service arm concerned, but in general it refers to the near-instantaneous effects of a weapon attack. In aviation it is defined as the inability of an aircraft to withstand the damage caused by the man-made hostile environment. In some definitions, recoverability (damage control, firefighting, restoration of capability) is included in vulnerability. Some military services develop their own concept of vulnerability.
Invulnerability is a common feature found in science fiction and fantasy, in particular in superhero fiction, as depicted commonly in novels, comic books and video games. In such stories, it is a quality that makes a character impervious to pain, damage or loss of health.
In video games, it can be found in the form of "power-ups" or cheats; when activated via cheats, it is often referred to as "god mode". Generally, it does not protect the player from certain instant-death hazards, most notably "bottomless" pits from which, even if the player were to survive the fall, they would be unable to escape. As a rule, invulnerability granted by power-ups is temporary, and wears off after a set amount of time, while invulnerability cheats, once activated, remain in effect until deactivated, or the end of the level is reached. Depending on the game in question, invulnerability to damage may or may not protect the player from non-damage effects, such as being immobilized or sent flying.
In comic books, some superheroes are considered invulnerable, though this usually only applies up to a certain level (e.g. Superman is invulnerable to physical attacks from normal people but not to the extremely powerful attacks of Doomsday or those at his level or higher). In the manga, webcomic and anime series One-Punch Man, for example, the main protagonist Saitama is completely immune to all kinds of attacks, whether it be blunt attacks, environmental-based attacks (like heat or cold), slashing attacks or pressure-point based attacks, and unharmed by physical laws.
In mythology, talismans, charms, and amulets were created by magic users for the purpose of making the wearer immune to injury from both mystic and mundane weapons.
Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such as design, development, deployment, upgrade, maintenance.
An always evolving but largely consistent set of common security flaws are seen across different applications, see common flawsCross-site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. In 2017, XSS is still considered a major threat vector. XSS effects vary in
range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.Disaster
A disaster is a serious disruption, occurring over a relatively short time, of the functioning of a community or a society involving widespread human, material, economic or environmental loss and impacts, which exceeds the ability of the affected community or society to cope using its own resources.In contemporary academia, disasters are seen as the consequence of inappropriately managed risk. These risks are the product of a combination of both hazards and vulnerability. Hazards that strike in areas with low vulnerability will never become disasters, as in the case of uninhabited regions.Developing countries suffer the greatest costs when a disaster hits – more than 95 percent of all deaths caused by hazards occur in developing countries, and losses due to natural hazards are 20 times greater (as a percentage of GDP) in developing countries than in industrialized countries.Exploit (computer security)
An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.Foreshadow (security vulnerability)
Foreshadow (known as L1 Terminal Fault (L1TF) by Intel) is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) (CVE-2018-3615) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) (CVE-2018-3620 and CVE-2018-3646) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.Foreshadow is similar to the Spectre security vulnerabilities discovered earlier to affect Intel and AMD chips, and the Meltdown vulnerability that also affected Intel. However, AMD products, according to AMD, are not affected by the Foreshadow security flaws. According to one expert, "[Foreshadow] lets malicious software break into secure areas that even the Spectre and Meltdown flaws couldn't crack". Nonetheless, one of the variants of Foreshadow goes beyond Intel chips with SGX technology, and affects "all [Intel] Core processors built over the last seven years".Foreshadow may be very difficult to exploit, and there seems to be no evidence to date (15 August 2018) of any serious hacking involving the Foreshadow vulnerabilities. Nevertheless, applying software patches may help alleviate some concern(s), although the balance between security and performance may be a worthy consideration. Companies performing cloud computing may see a significant decrease in their overall computing power; individuals, however, may not likely see any performance impact, according to researchers. The real fix, according to Intel, is by replacing today's processors. Intel further states, "These changes begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as new client processors expected to launch later this year ."On 16 August 2018, researchers presented technical details of the Foreshadow security vulnerabilities in a seminar, and publication, entitled "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution" at a USENIX security conference.Full disclosure (computer security)
In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.In his essay on the topic, Bruce Schneier stated "Full disclosure – the practice of making the details of security vulnerabilities public – is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure". Leonard Rose, co-creator of an electronic mailing list that has superseded bugtraq to become the de facto forum for disseminating advisories, explains "We don't believe in security by obscurity, and as far as we know, full disclosure is the only way to ensure that everyone, not just the insiders, have access to the information we need."Heartbleed
Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. Thus, the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed.Heartbleed is registered in the Common Vulnerabilities and Exposures database as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug. A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed.As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed.TLS implementations other than OpenSSL, such as GnuTLS, Mozilla's Network Security Services, and the Windows platform implementation of TLS, were not affected because the defect existed in the OpenSSL's implementation of TLS rather than in the protocol itself.Macroeconomics
Macroeconomics (from the Greek prefix makro- meaning "large" + economics) is a branch of economics dealing with the performance, structure, behavior, and decision-making of an economy as a whole. This includes regional, national, and global economies. Macroeconomists study aggregated indicators such as GDP, unemployment rates, national income, price indices, and the interrelations among the different sectors of the economy to better understand how the whole economy functions. They also develop models that explain the relationship between such factors as national income, output, consumption, unemployment, inflation, saving, investment, international trade, and international finance.
While macroeconomics is a broad field of study, there are two areas of research that are emblematic of the discipline: the attempt to understand the causes and consequences of short-run fluctuations in national income (the business cycle), and the attempt to understand the determinants of long-run economic growth (increases in national income). Macroeconomic models and their forecasts are used by governments to assist in the development and evaluation of economic policy.
Macroeconomics and microeconomics, a pair of terms coined by Ragnar Frisch, are the two most general fields in economics. In contrast to macroeconomics, microeconomics is the branch of economics that studies the behavior of individuals and firms in making decisions and the interactions among these individuals and firms in narrowly-defined markets.Meltdown (security vulnerability)
Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.
Meltdown affects a wide range of systems. At the time of disclosure, this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs, printers and others), including a wide range of networking equipment.
A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads, although companies responsible for software correction of the exploit are reporting minimal impact from general benchmark testing.Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL), in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some, but not all characteristics. The Meltdown and Spectre vulnerabilities are considered "catastrophic" by security analysts. The vulnerabilities are so severe that, initially, security researchers believed the reports to be false.Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. Meltdown patches may produce performance loss. Spectre patches have been reported to significantly reduce performance, especially on older computers; on the newer eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured. On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. Nonetheless, according to Dell: "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts." Further, recommended preventions include: "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)."On January 25, 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.On March 15, 2018, Intel reported that it will redesign its CPU processors (performance losses to be determined) to help protect against the Meltdown and related Spectre vulnerabilities (especially, Meltdown and Spectre-V2, but not Spectre-V1), and expects to release the newly redesigned processors later in 2018. On October 8, 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.OpenSSL
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in Internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
The OpenSSL Software Foundation (OSF) represents the OpenSSL project in most legal capacities including contributor license agreements, managing donations, and so on. OpenSSL Software Services (OSS) also represents the OpenSSL project, for Support Contracts.
Versions are available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows.POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.The CVE-ID associated with the original POODLE attack is CVE-2014-3566.
F5 Networks filed for CVE-2014-8730 as well, see POODLE attack against TLS section below.ROCA vulnerability
The ROCA vulnerability is a cryptographic weakness that allows the
private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". The vulnerability has been given the identifier CVE-2017-15361.
The vulnerability arises from a problem with an approach to RSA key generation used in a software library, RSALib, provided by Infineon Technologies, and incorporated in many smart cards and Trusted Platform Module (TPM) implementations. The same vulnerability appears in recent YubiKey 4 tokens, often used to generate PGP keys. Keys of lengths 512, 1024, and 2048 bits generated using the Infineon library are vulnerable to a practical ROCA attack. The research team that discovered the attack (all with Masaryk University and led by Matúš Nemec and Marek Sýs) estimate that it affects around one-quarter of all current TPM devices globally. Millions of smart cards are believed to be affected.The team informed Infineon of the RSALib problem in February 2017, but withheld public notice until mid-October, citing responsible disclosure. At that time they announced the attack and provided a tool to test public keys for vulnerability. They published the details of the attack in November.Shellshock (software bug)
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.Stéphane Chazelas contacted Bash's maintainer, Chet Ramey, on 12 September 2014 telling Ramey about his discovery of the original bug, which he called "Bashdoor". Working together with security experts, he soon had a patch as well. The bug was assigned the identifier CVE-2014-6271. It was announced to the public on 24 September 2014 when Bash updates with the fix were ready for distribution.The first bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables. Within days of the publication of this, intense scrutiny of the underlying design flaws discovered a variety of related vulnerabilities (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187); which Ramey addressed with a series of further patches.Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.Shellshock could potentially compromise millions of unpatched servers and other systems. Accordingly, it has been compared to the Heartbleed bug in its severity.Social vulnerability
In its broadest sense, social vulnerability is one dimension of vulnerability to multiple stressors and shocks, including abuse, social exclusion and natural hazards. Social vulnerability refers to the inability of people, organizations, and societies to withstand adverse impacts from multiple stressors to which they are exposed. These impacts are due in part to characteristics inherent in social interactions, institutions, and systems of cultural values.
Because it is most apparent when calamity occurs, many studies of social vulnerability are found in risk management literature.Spectre (security vulnerability)
Spectre is a vulnerability that affects modern microprocessors that perform branch prediction.
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.
To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.
A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.
Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities.Vulnerability scanner
A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. In plain words, these scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS (Software as a Service); provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.
Authenticated scans allow for the scanner to directly access network based assets using remote administrative protocols such as secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. This allows the vulnerability scanner to access low-level data, such as specific services and configuration details of the host operating system. It's then able to provide detailed and accurate information about the operating system and installed software, including configuration issues and missing security patches.
Unauthenticated scans is a method that can result in a high number of false positives and is unable to provide detailed information about the assets operating system and installed software. This method is typically used by threat actors or security analyst trying determine the security posture of externally accessible assets.The CIS Critical Security Controls for Effective Cyber Defense designates continuous vulnerability scanning as a critical control for effective cyber defense.Vulnerable species
A vulnerable species is one which has been categorized by the International Union for Conservation of Nature as likely to become endangered unless the circumstances that are threatening its survival and reproduction improve.
Vulnerability is mainly caused by habitat loss or destruction of the species home. Vulnerable habitat or species are monitored and can become increasingly threatened. Some species listed as "vulnerable" may be common in captivity, an example being the military macaw.
There are currently 5196 animals and 6789 plants classified as vulnerable, compared with 1998 levels of 2815 and 3222, respectively. Practices such as Cryoconservation of animal genetic resources have been enforced in efforts to conserve vulnerable breeds of livestock specifically.Zero-day (computing)
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.
In the jargon of computer security, "Day Zero" is the day on which the interested party (presumably the vendor of the targeted system) learns of the vulnerability. Up until that day, the vulnerability is known as a zero-day vulnerability. Similarly, an exploitable bug that has been known for thirty days would be called a 30-day vulnerability. Once the vendor learns of the vulnerability, the vendor will usually create patches or advise workarounds to mitigate it.The fewer the days since Day Zero, the higher the chance no fix or mitigation has been developed. Even after a fix is developed, the fewer the days since Day Zero, the higher is the probability that an attack against the afflicted software will be successful, because not every user of that software will have applied the fix. For zero-day exploits, the probability that a user has patched their bugs is zero, so the exploit should always succeed. Zero-day attacks are a severe threat.