Basic knowledge about Vulnerabilities

 

The word "Vulnerability" is everywhere in McAfee Labs's threat warnings. Such descriptions are common, whether a "Vulnerability" is found or "Vulnerability" exists in some versions. So what is a "vulnerability "? A vulnerability is a program error (bug) that may cause program errors in some cases ). Attackers often exploit this vulnerability to abuse the program and perform damage.

If the system is compared to a building, the operating system (OS) in this building is the infrastructure, providing support for the system and supporting the building. Applications are the rooms in the building, or various facilities in the room. They are implemented on the infrastructure built in the building. The system users are the residents in the building. Doors and windows are the interaction channels between rooms in a building. They have been set up for a long time, while loopholes are some doors and windows that shouldn't have existed, or an inexplicable hole in the wall may be dangerous materials or items that may damage the building. These defects and problems may cause strangers to intrude into the building or pose security threats to the building. This is a vulnerability. For the system, for security reasons, the existence of the vulnerability must be minimized, because it will become the entry point for intruders to intrude into the system and implant malware, it affects the vital interests of our system users.

Each vulnerability is different, but it can be divided into local vulnerabilities and Remote Vulnerabilities according to different intrusion methods.

Local vulnerabilities:

Local vulnerabilities require intruders to use their existing or stolen identities to physically access machines and hardware. In our analogy, intruders must either be residents in buildings or impersonate residents in buildings.

Remote vulnerabilities:

Compared with local vulnerabilities, remote vulnerabilities do not require intruders. Attackers only need to send malicious files or packets to the system for intrusion. This is why remote vulnerabilities are more dangerous than local vulnerabilities.

Vulnerabilities are classified by risk level. They can also be classified into high-risk vulnerabilities, medium-risk vulnerabilities, or low-risk vulnerabilities. The risk level is largely determined by the standards adopted by everyone. McAfee defines the risk to give customers a clear picture of what will happen in the future and be vigilant.

High-risk vulnerabilities:

Remote Code Execution (RCE): attackers can take full advantage of this most risky vulnerability to completely control the vulnerable system. This vulnerability allows malware to run without being warned by users. Some of the most dangerous malware often need to exploit this vulnerability to launch attacks. If a security patch is provided for a vulnerability, it usually means that the vulnerability is a high-risk vulnerability. It is recommended that you do not ignore any warnings.

DoS: as another high-risk vulnerability, DoS can cause freezing or crash of vulnerable programs (or even hardware. Anonymous Group uses DoS Vulnerabilities to launch attacks. If the attacked structure is a vro, server, or any other network infrastructure, it is difficult to imagine how chaotic the situation is. The severity of the DoS vulnerability depends on the isolated room. For example, the bathroom or living room is much more important than the storage room.

Moderate-risk vulnerabilities:

These vulnerabilities are like "Siblings". Although they are very similar, there are nuances in specific situations. Moderate risks include the Privilege Escalation pair twins and the "siblings" they are called Security Bypass ".

Privilege Escalation (PE): This vulnerability allows attackers to perform operations without obtaining legal user permissions. They are called twins because they can be divided into two types: horizontal PE and Vertical PE. Horizontal PE allows attackers to gain the permissions of other users at the same level. The most common attacks of this type of vulnerability are on the forum. Attackers can jump from one user account to another, browse and modify information or posts, but generally only have the same level of permissions. Vertical PE provides attackers with more permissions they want. For example, an attacker "jumps" from a local user to an administrator. In this way, attackers can partially or completely access some restricted areas of the system and then perform damage.

Security Bypass (SB): In a broad sense, like PE, a security bypass means that an attacker can perform operations without permission. The difference is that the bypass takes effect in the system environment connected to the Internet. If the program has a security bypass vulnerability, the insecure traffic may escape detection.

Medium-risk vulnerabilities are not too dangerous. If the system is properly protected, they will not cause catastrophic consequences. The real danger lies in the chain reaction between privilege escalation and security bypass. If an attacker enters the system as an ordinary user or guest, attackers can bypass security measures and install or modify programs, which can cause a lot of damage. Compared with remote code execution, although it is difficult for attackers to use the methods of privilege escalation and security bypass to access our "building" (system), it is not impossible.

Low-risk vulnerabilities:

Information Leakage (ID): This vulnerability allows attackers to browse normally inaccessible information. Information Leakage is a low-risk vulnerability. Attackers can only browse information and cannot perform other substantive operations. To use the information here, attackers must exploit other vulnerabilities or find key information, such as password files. However, we must analyze information leakage based on actual situations, because the risk level is very easy to change, changes in the attacked program, leaked information, and network environment will lead to changes in risk levels. For example, information leakage from a certificate authority similar to Comodo or DigiNotar may cause catastrophic consequences. Information Leakage is equally dangerous to critical networks or machines that store very important information. Even if information leakage does not seem so dangerous, do not be confused by the appearance.

Although medium-risk vulnerabilities and low-risk vulnerabilities are less risky than remote code execution or DoS, we cannot take them lightly. Experienced Attackers sometimes do not need to exploit these vulnerabilities to cause damage, such as intellectual property theft. Although these attacks have left a clear trace, because the amount of information stored in the activity log is too large, users can only find suspicious traces through slow and meticulous searches. At the same time, our users usually do not take it as a preventive measure. Attackers can view the vulnerability only after it is damaged.