Computer Security

Share this article:

Computer Security

  • Join our comunity:

What Are Software Vulnerabilities, and Why Are There So Many of Them?

By: , Posted on: June 29, 2017

It’s software: There’s always a way in. BeeBright via

The recent WannaCry ransomware attack spread like wildfire, taking advantage of flaws in the Windows operating system to take control of hundreds of thousands of computers worldwide. But what exactly does that mean?

It can be useful to think of hackers as burglars and malicious software as their burglary tools. Having researched cybercrime and technology use among criminal populations for more than a decade, I know that both types of miscreants want to find ways into secure places – computers and networks, and homes and businesses. They have a range of options for how to get in.

Some burglars may choose to simply smash in a window or door with a crowbar, while others may be stealthier and try to pick a lock or sneak in a door that was left open. Hackers operate in a similar fashion, though they have more potential points of entry than a burglar, who is typically dependent on windows or doors.

Chapter Download: Vulnerabilities to Address

The weaknesses hackers exploit aren’t broken windowpanes or rusty hinges. Rather, they are flaws in software programs running on a computer. Programs are written by humans, and are inherently imperfect. Nobody writes software completely free of errors that create openings for potential attackers.

What are these flaws, really?

In simple terms, a vulnerability can be an error in the way that user management occurs in the system, an error in the code or a flaw in how it responds to certain requests. One common vulnerability allows an attack called a SQL injection. It works on websites that query databases, such as to search for keywords. An attacker creates a query that itself contains code in a database programming language called SQL.

If a site is not properly protected, its search function will execute the SQL commands, which can allow the attacker access to the database and potentially control of the website.

Similarly, many people use programs that are supported by the Java programming language, such as Adobe Flash Player and various Android applications. There are numerous vulnerabilities in the Java platform, all of which can be exploited in different ways, but most commonly through getting individuals to download “plug-ins” or “codecs” to software. These plug-ins actually contain malicious code that will take advantage of the vulnerability and compromise the machine.

Flaws are everywhere

Vulnerabilities exist in all types of software. Several versions of the Microsoft Windows operating system were open to the WannaCry attack. For instance, the popular open-source web browser Firefox has had more than 100 vulnerabilities identified in its code each yearsince 2009. Fifteen different vulnerabilities have been identified in Microsoft Internet Explorer browser variants since the start of 2017.

Software development is not a perfect process. Programmers often work on timelines set by management teams that attempt to set reasonable goals, though it can be a challenge to meet those deadlines. As a result, developers do their best to design secure products as they progress but may not be able to identify all flaws before an anticipated release date. Delays may be costly; many companies will release an initial version of a product and then, when they find problems (or get reports from users or researchers), fix them by releasing security updates, sometimes called patches because they cover the holes.

But software companies can’t support their products forever – to stay in business, they have to keep improving programs and selling copies of the updated versions. So after some amount of time goes by, they stop issuing patches for older programs.

Not every customer buys the latest software, though – so many users are still running old programs that might have unpatched flaws. That gives attackers a chance to find weaknesses in old software, even if newer versions don’t have the same flaws.

Exploiting the weaknesses

Once an attacker identifies a vulnerability, he can write a new computer program that uses that opportunity to get into a machine and take it over. In this respect, an exploit is similar to the way burglars use tools like crowbars, lock picks or other means of entry into a physical location.

They find a weak point in the system’s defenses, perhaps a network connection that hasn’t been properly secured. If attackers can manage to gain contact with a target computer, they can learn about what sort of system it is. That lets them identify particular approaches – accessing specific files or running certain programs – that can give them increasing control over the machine and its data. In recent years, attackers began targeting web browsers, which are allowed to connect to the internet and often to run small programs; they have many vulnerabilities that can be exploited. Those initial openings can give an attacker control of a target computer, which in turn can be used as a point of intrusion into a larger sensitive network.

Sometimes the vulnerabilities are discovered by the software developers themselves, or users or researchers who alert the company that a fix is needed. But other times, hackers or government spy agencies figure out how to break into systems and don’t tell the company. These weaknesses are called “zero days,” because the developer has had no time to fix them. As a result, the software or hardware has been compromised until a patch or fix can be created and distributed to users.

The best way users can protect themselves is to regularly install software updates, as soon as updates are available.

This article was originally published on The Conversation website under a Creative Commons Attribution 4.0 International License. Read the original article here.

advanced persistent security

If you found this article interesting, you may be interested in browsing more content on ScienceDirect. We are pleased to offer you a free chapter from the Advanced Persistent Security book called “Vulnerabilities to Address” below:

Chapter Download: Vulnerabilities to Address

Visit to access content on cybersecurity and more! Use discount code STC317 at checkout and save up to 30% on your very own copy!

Connect with us on social media and stay up to date on new articles

Computer Security

Securing computer systems is crucial in our increasingly interconnected electronic world. With so many business, consumer, and governmental processes occurring online, a growing potential exists for unauthorized access, change, or destruction of those processes. For years, Elsevier’s Syngress imprint has helped computer and information security professionals learn theory, strategy, and tactics for protecting digital assets in this constantly evolving field. Our books and eBooks in areas such as info security, digital forensics, hacking and penetration testing, certification, and IT security and administration. Click here for Syngress companion materials Click here for access to our archive of free eBooks, booklets and downloadable PDFs for Syngress and Computer security content. Access companion materials and instructor’s resources for all our books from the Elsevier Store. Search by author, title or ISBN, then look for the “Resources” tab on any book page.