A security vulnerability is in the field of information security an error in a software , through a program with malicious effect ( Exploit ) or an attacker to compromise a computer system can penetrate.
A security vulnerability represents a threat to the security of a computer system. There is a risk that the security vulnerability could be exploited and the affected computer system could be compromised. Security gaps arise, among other things, from inadequate protection of a computer against attacks from the network (for example due to a lack of firewall or other security software ) as well as programming errors in the operating system , web browser or other software applications that are run on the system.
Security gaps can arise in the development process if security aspects are neglected in planning, conception and development and security requirements are not sufficiently taken into account, e.g. B. as quality goals. Furthermore, security gaps result from errors that can arise due to the complexity of software systems in the development process. Rough estimates show that a programmer generates one error per 1000 program lines, which corresponds to a per thousand error rate ; with 1,000,000 lines, about 1,000 errors are to be expected. If not all errors are found in the alpha and beta process , a defective product is created.
Many errors are never discovered because the error content is low or the effect would only cause damage if the program ran for a long time. In highly complex programs, such simple errors are initially only documented when they are discovered and only corrected later. This is not only for cost reasons, but also because every change to the program code that is necessary for rectification can in turn be the source of new errors. However, some errors create serious security holes without immediately leading to a complete crash.
Such security gaps are symptomatic of programs that have been written with programming languages that are optimized with regard to performance (for example C or assembler ) and are prone to errors due to their programming model (keyword: pointer arithmetic ). Due to the widespread use of such programming languages, the high time pressure in software generation, combined with the pronounced cost pressure of the software producer companies and the less sensitive handling of the topic of secure software, security gaps are the rule rather than the exception.
A frequently cited problem is primarily software offers from hardware manufacturers for their products, which are often only included with certain products for marketing reasons (compare video editing software for camcorders ). Due to inexpensive development and the resulting poor programming, a large number of program errors and security gaps are created, which mainly affect the home user area. To make matters worse, hardware companies are often not specialized in the development of application software, so development contracts with external companies and thus the product quality can no longer easily check themselves. On the other hand, the external companies may not even specialize in the development of the special software. These factors mean that new, buggy software keeps coming onto the market instead of old software being further developed and improved.
Some massive problems and errors could easily be avoided today if programming languages such as Modula-2 , Eiffel , Oberon or Component Pascal , in their respective versions, were used instead of the very system-oriented languages that allow direct addressing of memory areas ; It has been proven that operating systems and drivers can also be written very efficiently with it.
Under certain circumstances, these program errors enable an attacker to break into a computer system with an exploit, for example , and to execute programs there that could damage. One of the most common errors used to intrude into computer systems is the buffer overflow . Insufficient or no checking of the copied amount of data leads to the overwriting of other program parts, which is used by attackers to change the program or introduce other program parts.
In so-called closed source applications, it is the task of the program manufacturer to fix the security gap by means of a patch or the provision of a new, corrected version. The adjustment is not mandatory and can be omitted if z. B. the support cycle for the product has expired or the manufacturer does not recognize the security gap as such and sees no need for action.
In the case of open source and free software, there are often several developers (mostly those who have been involved with this software for a long time), scattered around the world, who write a patch for it as soon as the bug is discovered and published. Especially with large open source projects, such as B. Linux usually provides patches shortly after the vulnerability is discovered to fix it.
Well-known security vulnerabilities include:
- Heartbleed ( OpenSSL , 2014)
- Shellshock ( Bash , 2014)
- Stagefright ( Android , 2015)
- EternalBlue ( Windows , 2017)
- BlueKeep (Windows, 2019)
Security gaps are published on:
- Bugtraq (archive; English)
- scip AG (archive; German)
- Heise Security
- Vigil @ nce vulnerabilities (archive; English)
- ACM Sigsoft SEN: ACM Fellow David Lorge Parnas. February 28, 2019, accessed December 2, 2019 .
- https://portal.msrc.microsoft.com/de-de/security-guidance/advisory/CVE-2019-0708. Accessed December 2, 2019 .