What’s an exploit?

//
I recently ran Microsoft Safety Scan, which identified a Java exploit. Are Java exploits a dangerous threat or do they merely function as a tool allowing hackers to infect your computer with malicious software? If the computer is otherwise clean, there’s no reason to worry that the computer has been compromised, right?

The issue here is that the term “exploit” really isn’t clear. In the industry, it ends up being used somewhat ambiguously to mean a couple of things. That can be frustratingly vague.

So, I’ll throw out two definitions of exploit for you.

Become a Patron of Ask Leo! and go ad-free!

Exploit #1: a vulnerability

An exploit is sometimes used to refer to a vulnerability. It is kind of like a hole in the wall of the metaphorical bathroom that I talked about in, “Why wouldn’t an exploit be caught by my anti-malware tools?” In that article, I referred to software as a bathroom and that exploits were the holes in the wall that could be used to peek at you.

You need to remember that just because there’s a hole in the wall, it doesn’t necessarily mean that somebody is looking through it. It just means that the hole exists.

In this usage of exploit it’s simply a vulnerability that exists in the software, without any implication that anyone will use it. Sure, someone could potentially take the next step, but if people don’t know about it, does it matter?

Exploit #2: a vulnerability being used

Someone's Peeking!The other definition for exploit refers specifically to when someone does take the next step. If we use the bathroom analogy again, this usage of exploit is equivalent to someone who actually peeks through the hole into your bathroom. In other words, some malicious person found a vulnerability and created malware to exploit it.

Is it an exploit? Or an exploit?

As you can see the usages are similar and sometimes interchangeable. “Exploit” is often used in very ambiguous ways, including in error messages presented by anti-malware tools.

The only thing you can do to be safe is to assume the worst. If your anti-malware tools warn you of an exploit, assume that it detected malware on your machine, even if the exploit is really just a vulnerability in the software.

If you receive a notification of an exploit, you do the things you should normally be doing. Keep your machine and its software up-to-date. Run good anti-malware tools that have been synced to an up-to-date database of malware.

If you can, consider not installing Java.  That’s actually my recommendation for Java in general, even though they keep fixing the new vulnerabilities that continually get discovered. Java is just too scary and fundamentally insecure. If you must keep Java on your machine because you use software that requires it, keep it up-to-date.

Ultimately, an error message that tells you that you have an exploit on your machine doesn’t really tell you exactly what you have. The safest thing to do is assume the worst.

Leave a reply: