Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What’s an Exploit?

by Leo A. Notenboom

Industry experts use the term "exploit" in several ways, which makes warning messages pretty unclear. Stay safe by assuming the worst.

Question: I recently ran Microsoft Safety Scan, which identified a Java exploit. Are Java exploits a dangerous threat or do they merely function as a tool allowing hackers to infect your computer with malicious software? If the computer is otherwise clean, there’s no reason to worry that the computer has been compromised, right?

The issue here is that the term “exploit” really isn’t clear. In the industry, it ends up being used somewhat ambiguously to mean a couple of things. That can be frustratingly vague.

So, I’ll throw out two definitions of exploit for you.

Become a Patron of Ask Leo! and go ad-free!

Exploit #1: a vulnerability

An exploit is sometimes used to refer to a vulnerability. It is kind of like a hole in the wall of the metaphorical bathroom that I talked about in, “Why wouldn’t an exploit be caught by my anti-malware tools?” In that article, I referred to software as a bathroom and that exploits were the holes in the wall that could be used to peek at you.

You need to remember that just because there’s a hole in the wall, it doesn’t necessarily mean that somebody is looking through it. It just means that the hole exists.

In this usage of exploit it’s simply a vulnerability that exists in the software, without any implication that anyone will use it. Sure, someone could potentially take the next step, but if people don’t know about it, does it matter?

Exploit #2: a vulnerability being used

The other definition for exploit refers specifically to when someone does take the next step. If we use the bathroom analogy again, this usage of exploit is equivalent to someone who actually peeks through the hole into your bathroom. In other words, some malicious person found a vulnerability and created malware to exploit it.

Is it an exploit? Or an exploit?

As you can see the usages are similar and sometimes interchangeable. “Exploit” is often used in very ambiguous ways, including in error messages presented by anti-malware tools.

The only thing you can do to be safe is to assume the worst. If your anti-malware tools warn you of an exploit, assume that it detected malware on your machine, even if the exploit is really just a vulnerability in the software.

If you receive a notification of an exploit, you do the things you should normally be doing. Keep your machine and its software up-to-date. Run good anti-malware tools that have been synced to an up-to-date database of malware.

If you can, consider not installing Java. That’s actually my recommendation for Java in general, even though they keep fixing the new vulnerabilities that continually get discovered. Java is just too scary and fundamentally insecure. If you must keep Java on your machine because you use software that requires it, keep it up-to-date.

Ultimately, an error message that tells you that you have an exploit on your machine doesn’t really tell you exactly what you have. The safest thing to do is assume the worst.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

Read the article.
Comment on the article.
No personal information.
No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.