How can you tell if you are infected with a vulnerability? It is easy, you are not, and you do not get infected by vulnerabilities. So what are vulnerabilities then and why do they matter?
The presence of a vulnerability simply means that you may be able to be attacked. Cars are vulnerable to being run into. There isn’t a patch for this vulnerability, it is part of the system. The problem happens when a vulnerability is introduced by a programming error or just really bad design.
The recent vulnerabilities in Word are a problem with flaws in programming. Apple’s QuickTime movie player has a vulnerability that is due to poor design. The QuickTime player is designed to allow malicious code to run without the user being able to block it. Now that is clearly not the intent of the design, but the player was designed to let anyone, good or bad, put programs into movies and QuickTime will not allow the user to simply view the movie and not run the program. A while back Sony introduced a severe vulnerability in PCs that installed their Digital Rights Management software. In a gravely misguided effort to prevent piracy Sony installed a rootkit on computers. This made computers vulnerable to other attacks by bad guys.
The important thing here is that the vulnerabilities themselves do no harm – they allow harm to be done.
Vulnerabilities can be exploited. Not all exploits are harmful, but generally there is little point in exploiting vulnerabilities for anything other than malicious purposes. The one significant exception is a Proof Of Concept (POC) exploit. A POC exploit is designed to prove that vulnerabilities can be exploited. Sometimes companies will not fix problems until someone hits them with a brick and proves that the problem is real. Other times people just like to try to make a name for themselves or generate advertising by showing their clients or prospective clients that they are somehow great because they can exploit vulnerabilities.
How bad vulnerabilities are depends upon how they can be exploited, what an exploit can accomplish, and how common it is. In general, if a vulnerability can allow an attacker to gain control of a PC without any user intervention at all, it is the worst case. If a user must go to a web site and then no intervention is required to exploit the vulnerability, then it still can be very serious and potentially as bad as a vulnerability that requires zero user input.
Infection can be the result of exploiting vulnerabilities. .If a virus or a trojan, such as spyware, adware, or a bot is installed on your computer by exploiting a vulnerability then those are the threats that have infected your computer. Vulnerabilities are not infections. Exploits are not infections. The malicious code that is placed on your computer by exploiting vulnerabilities is an infection.
Director of Technical Education
Author ESET Research, We Live Security