Exploit vs Vulnerability

Exploit and vulnerability are nearly inseparable terms when discussing the latest cyberattack. While it may seem like they can be used interchangeably, it is important to understand that they are two distinct sides of the same coin. An exploit cannot exist without a vulnerability.

Vulnerability: A weakness in a system’s design or implementation[1]. For our purposes, we will restrict the definition specifically to software.

Exploit: The use of a vulnerability to violate a system’s security policy.

A vulnerability in a real-world situation could be that maintenance personnel are allowed free movement around special events such as the Super Bowl with little intervention by security personnel. An exploit of this vulnerability could be walking through the side entrance to a sports venue carrying a toolbox and a ladder, unquestioned by security personnel as a group of individual claims they did in 2017.

Vulnerability

Where do They Come From?

Vulnerabilities are weaknesses, and weaknesses are bad. How do they come about and why isn’t more being done to prevent them?

Well, turns out that vulnerabilities are hard to avoid, despite the best efforts by programmers and the tools they use. Software vulnerabilities come from defects in the underlying code. These defects can be extremely subtle but can turn into vulnerabilities. Defects can be introduced by human error or can arise from emergent behavior in a complex software system. For example, a human could introduce a logic error in software accidentally which could then become a vulnerability given specific inputs to the software system.

Complex software often performs several operations simultaneously. This can lead to situations where the logic is sound for each individual operation but can break down when multiple operations are happening at once. These types of vulnerabilities are particularly interesting and will be the focus of another post.

How to Find Vulnerabilities

Vulnerabilities can be discovered by accident or intentionally by performing vulnerability research or vulnerability analysis. Vulnerability research and vulnerability analysis involve actively looking for weaknesses using whatever means are available. This could be as simple as trying to force a program to terminate by sending it too many keystrokes too quickly, or it could be more sophisticated and involve having to force a spike in voltage across an electronic component to achieve an unintended effect.

How to Compare Vulnerabilities

When some vulnerabilities are more severe than others, it is important to have a way to somehow compare vulnerabilities.

The Common Vulnerability Scoring System (CVSS)[2] provides a standardized approach to assigning a numerical value to a vulnerability based on a number of characteristics and details of the vulnerability itself. Vulnerabilities are scored from 0 to 10, with 10 being the most critical and 0 being a no-risk vulnerability.

Exploit

An exploit uses a vulnerability to achieve a specific goal.

In order to demonstrate the severity of a vulnerability, security researchers develop Proof-of-Concept (PoC) tools that prove a vulnerability is exploitable.

The risk of an exploit is directly linked to the risk of the vulnerability associated with it. For example, an exploiting a vulnerability with a CVSS score of 9 could allow a bad actor to force a system to execute malicious code with very little skill on the part of the attacker.

Going from Vulnerability to Exploit

To highlight the difference between a vulnerability and an exploit and to show how a vulnerability can be turned into an exploit, let’s take a look at a peculiar vulnerability from 2019 affecting iOS and macOS devices.[3] FaceTime is a built-in application that comes with iOS, iPadOS, and macOS which allows users to make video calls to other FaceTime users.[4] The expected flow of making a FaceTime call is the caller must use the FaceTime application to contact another party. The phone will ring for the other party and they have the option to either accept or decline the call.

This vulnerability did not properly track the state of participants in a group FaceTime session and carried a CVSS score of 7.5, making it a high-risk vulnerability.

Exploitation of this vulnerability turned out to be quite trivial. Suppose Eve wants to eavesdrop on Alice without Alice knowing.

  1. Eve calls Alice via FaceTime and Alice must answer the call in order for the two to communicate.
  2. Eve adds herself as an additional participant to the conversation, converting the session to a group conversation.
  3. Alice’s device automatically accepts the call from Eve, activating Alice’s microphone and camera.
  4. Eve has now exploited the vulnerability to eavesdrop on Alice.

Defending Against Vulnerabilities and Exploits

The above vulnerability was fixed, or patched, by Apple in iOS 12.1.4. In order for users to protect themselves from being exploited, they had to install the update on their vulnerable devices.

Vulnerabilities are like secret passages. They can potentially remain hidden forever, but once discovered, they can become a weakness in a system. One unmitigated vulnerability could be all it can take to compromise an entire system. The easiest thing for a user to do is to make sure none of the known vulnerabilities can be used to against them. It really is simple advice, keep systems up-to-date. As soon as a software vendor has released a security update all the information an attacker needs to exploit the vulnerability on an unpatched system becomes available. This may not always be possible and there are many bad actors that will try to use low-hanging fruit to gain access to systems and networks.

Check back later for more posts on types of vulnerabilities and how to find them, how to report vulnerabilities, ways to avoid introducing vulnerabilities, and plenty of other topics!