navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab
Blog
News
Articles

Vulnerabilities vs. attack vectors...

Get this blog as an RSS Feed
During our daily work analysing vulnerabilities in-depth, we come across cases on a regular basis where a single vulnerability with multiple attack vectors is being reported as separate vulnerabilities.
15:50 CET on the 21st April 2010
Entry written by Carsten Eiram.

During our daily work analysing vulnerabilities in-depth, we come across cases on a regular basis where a single vulnerability with multiple attack vectors is being reported as separate vulnerabilities. To quickly cover our definitions of the terms: A "vulnerability" is a specific problem in the code having a security impact while an "attack vector" is a way of triggering / reaching the vulnerability.

There may be a number of reasons why we see different attack vectors being reported as separate vulnerabilities. Perhaps it's because it may take a lot of time and skill to fully understand some vulnerabilities, making it faster and/or easier to just report something as multiple vulnerabilities without determining anything else than that there is "memory corruption"; an increasingly popular term.

As an example: Not that long ago, we did a quick test run of an internally developed fuzzer by pegging it against a product from Adobe Systems. Overnight, the fuzzer generated 400+ crash reports. Out of those crashes, about 80 of them occurred due to "memory corruption"; as half of these were triggered by manipulating different fields, this could mean that our fuzzer had found about 40 separate vulnerabilities. However, after properly analysing each crash, they all turned out to be caused by just four different vulnerabilities (having a large number of attack vectors).

As evident from the example, it may take quite a lot of time to properly understand the core problem of a vulnerability. In this case, it took a Senior Security Specialist, who's an experienced vulnerability analyst and reverse engineer, almost a week to go through the interesting crashes and confirm the root causes. A less experienced person would have spent a lot longer if ever figuring some of the problems out.

Generally, the reasons for not fully determining the root cause of a vulnerability before reporting it can probably be divided into three categories:

1) The reporter simply does not want to spend the time and effort required to figure out the core problem, but leaves that part up to someone else (e.g. the software vendor).

2) The reporter lacks the skills to properly analyse and understand the root cause of the vulnerability.

3) The reporter purposefully reports each attack vector as a separate vulnerability because it looks "better" (i.e. more vulnerabilities were discovered).

Reasons #1 and #2 are, of course, perfectly fair if the reporter is a hobby researcher not doing this as a full-time job. However, whatever the reason, reporting multiple attack vectors as multiple vulnerabilities remains a problem for both the software vendors (looks like there are more vulnerabilities in their products than is the case), vulnerability databases like Secunia and similar organisations (risk of issuing duplicate identifiers/advisories for the same vulnerability), and many other actors in the field that rely on the reported number of vulnerabilities (e.g. various organisations documenting vulnerability statistics and doing comparisons, which may be anywhere from slightly flawed to completely wrong).

Hopefully, both software vendors and researchers will do their part to ensure that vulnerabilities are being reported more accurately. At Secunia, we try to do our part by spending a large amount of resources on analysing and properly understanding both the vulnerabilities reported by third parties as well as the ones discovered internally by the Secunia Research team.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Vulnerabilities vs. attack vectors...
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+