And more importantly, what can you do to protect yourself?
Let’s define some terms with what I’m thinking is my silliest metaphor ever, and then talk about how to stay safe.
Become a Patron of Ask Leo! and go ad-free!
Vulnerabilities and Exploits
A “vulnerability” in software isn’t really a bad thing in and of itself. It’s kind of like a hole in a bathroom wall – as long as no one’s looking through the hole, there’s no damage done.
Naturally, you’d like to have the problem fixed and the hole repaired (i.e. you’d like your software to be updated, so the vulnerability is removed), but as long as the hole hasn’t been found by anyone, it’s not really putting you at imminent risk. It shouldn’t be there, of course, but as long as no one knows about it, all is well.
An exploit is like someone finding the hole and looking in at whatever’s happening in your bathroom. If the hole’s big enough, perhaps they can even reach in and steal personal things like your toothbrush, or flush your toilet when you’re not looking.
A software exploit could do things like look at the information on your computer, steal personal things like your passwords, or use your computer to send spam when you’re not looking.
And yes, I just compared spam to whatever you might flush down your toilet.
If we extend this “I-can’t-believe-I’m-writing-this” metaphor further, we need to factor in anti-malware tools.
Anti-spyware tools are kind of like security cops. They don’t know about the holes, but they have a list of about all the other places from which you could be spied on. They monitor the doors and windows and make sure no one has installed a video camera in the medicine cabinet. As soon as they see suspicious activity in those locations, they alert you and attempt to remove the threat.
Anti-virus tools are more like security cops with a big book of mugshots of all the people who are known to look in holes in bathroom walls. As soon as they see someone from that book, they kick them out, or at least let you know they’re lurking about.
The problem, of course, is that these cops are only as good as the information they carry. If the anti-spyware cop is unaware of the fact that video cameras can also be placed in the light fixture, they won’t check that. If the anti-virus cop doesn’t have the photo of the Peeping Tom discovered elsewhere this morning, he won’t recognize him.
That’s why I so often insist that you not only have up-to-date anti-malware software (cops that know all the important tricks of the trade), but that you make sure to update their databases of malware (the list of places to look and malcontents to look for) consistently.
The metaphor can be extended even further. Not all cops are the same; some are better at seeing certain kinds of things that others, others get better data from their head office, and so on.
And some are just incompetent.
Ultimately, though, not having up-to-date tools with up-to-date information is one way that malware makes it into your system.
Unlike a bathroom wall, the vulnerabilities or “holes” in software are often not obvious or easy to discover. It’s not uncommon for a vulnerability to exist for years before someone stumbles across it and develops a way to exploit it.
To continue the “computer software is like a bathroom” story even further, the holes in your wall are very, very difficult to find. Depending on the quality of the original builder, there may be many easier-to-find holes, but those are often found and fixed relatively quickly.
And here’s the scary part: hackers are like someone who spends all day and night looking at your bathroom wall from the outside, hoping to find a hole no one else has found before. It’s not a “new” hole – it was there all along – but it is a new discovery, and often termed a “new” vulnerability.
Or sometimes they’ll find a new way to use a previously known hole that hasn’t been patched yet.
Either way, as soon as they’re successful, they create malware which exploits the fact that your bathroom wall (the software on your computer) has an unpatched hole.
Exactly. The problem is, as I mentioned above, that the holes can be extremely hard to find.
But once they’re found, the hole is patched by updating the software on your machine to versions that no longer have the holes.
Usually. Some holes are fixed more quickly than others, and some may not be fixed at all. Some holes are harder to patch than others.
One issue is that some holes are worse than others. A hole that allows someone to see your toothbrush might be less important than a hole that allows someone to actually steal it.
Another issue is that fixing a hole can damage the wall, sometimes to the extent that a new hole is created elsewhere. By that, I mean fixing a bug in software can unintentionally introduces other bugs. Thus the benefit of fixing a known hole has to be weighed against the risk that doing so might create another hole we won’t know about.
The bottom line here, though, is that having out-of-date software – software with known holes in it that have been fixed by updates you haven’t downloaded yet – is another way malware can find its way onto your machine.
Avoiding holes: extreme version
To continue our now tortured comparison:
- Many, many people had this model of “bathroom”. (Many people had Java installed.)
- In recent years, many holes were found and repaired in this bathroom’s walls. (Java has a history of vulnerabilities.)
- A new hole was discovered, and new people were found looking in, before the security cop’s mugbook could be updated. (A new “zero day” exploit of a vulnerability in Java was found in the wild.)
- Until the hole was patched, everyone using this bathroom was vulnerable to having their toothbrush stolen, or worse. (Everyone with Java on their machine was at risk.)
- affiliate program
- Animated GIF
- aspect ratio
- back up
- bare metal
- Basic Input/Output System
- Blind Carbon Copy
- Blue Screen of Death
- brute force attack
- Central Processing Unit
- click bait
- Completely Automated Public Turing test to tell Computers and Humans Apart
- Content Delivery Network
- context menu
- CPU bit-ness
- cross-site scripting
- Cyclic Redundancy Check
- dark web
- deep web
- device driver
- dialog box
- Digital Rights Management
- Digital Subscriber Line
- digital signature
- Distributed Denial Of Service attack
- Domain Name System
- Dots Per Inch
- Dynamic Host Configuration Protocol
- Dynamic Link Library
- echo chamber
- electronic publication
- Email Service Provider
- encryption – asymmetric
- encryption key
- encryption – public key
- encryption – symmetric
- Fear Uncertainty Doubt
- Fiber Optic Service
- File Transfer Protocol
- file system
- form factor
- Globally Unique IDentifier
- Graphical User Interface
- Graphics Interchange Format
- High-Definition Multimedia Interface
- home page
- HyperText Mark-up Language
- HyperText Transfer Protocol
- HyperText Transfer Protocol – Secure
- image backup
- incremental backup
- Internet Message Access Procotol
- Internet Protocol Address
- Internet Service Provider
- Internet Of Things
- IP address
- ISO image
- Local Area Network
- malicious software
- man in the middle
- Master Boot Record
- Modulator Demodulator
- multi-factor authentication
- net etiquette
- Network Interface Controller
- Network Address Translation
- Network Attached Storage
- network adapter
- nonbreaking space
- notification area
- op-level domain
- open wifi
- Personal STore
- Plain Old Telephone System
- Point Of Presence
- pop-up menu
- Port 25
- Portable Document Format
- Post Office Protocol version 3
- Potentially Unwanted Program
- Problem Exists Between Chair And Keyboard
- QR Code
- Quick Response
- rainbow table
- Random Access Memory
- recovery drive
- redundant array of independent disks
- screen shot
- Secure File Transfer Protocol
- Secure SHell
- Secure Sockets Layer
- Secure Boot
- Self-Encrypting Drive
- Serial ATA
- Service Set IDentifier
- Short Message Service
- Simple Mail Transfer Protocol
- Solid State Disk
- Solid State Disks
- system tray
- The Onion Router
- third party ad
- Three-Letter Acronym
- Too long; didn’t read
- top-level domain
- Transport Layer Security
- Two-factor authentication
- Unified Extensible Firmware Interface
- Uniform Resource Locator
- User Account Control
- video blog
- Virtual Private Network
- virtual machine
- Virtual Memory
- Voice Over Internet Protocol
- Volume Snapshot Service
- volume (disk)
- web log
- What You See Is What You Get
- Wide Area Network
- wireless network
- wireless network adapter
- Your Mileage May Vary
The metaphor breaks down at this point, because while most of us may not need Java (the advice remains to uninstall it unless you know you need it), we all need to use the bathroom.
Avoiding holes: more common version
The advice for avoiding software exploits is the same as it’s always been:
- Keep your computer software up to date. (Keeps the holes we know about patched.)
- Keep your anti-malware tools up to date, and keep their databases up to date. (Keeps the security cops sharp and with current information of what to look for.)
- In some cases, uninstall software that is known to have issues. (Keeps you from doing things that a Peeping Tom might see or use against you.)
- And of course, don’t invite a crowd of Peeping Toms onto your computer by opening attachments that you’re not certain are safe, running questionable downloads, or visiting questionable sites.
In other words, keep your bathroom clean, and don’t invite strangers in.
And, yes, even after doing all that, there’s still the possibility of a hole you don’t know about being found and exploited before all the defenses are updated.
To answer your second question: what can malware do? Essentially, anything it wants. Naturally the specifics depend on the size of the hole being exploited, and what’s available on your computer, but it’s safest to assume that once a vulnerability on your machine is exploited and an infection occurs, all bets are off.
System Restore can sometimes help, but there are two problems with it:
- In my experience, it’s extremely unreliable. There’s nothing worse than counting on System Restore to save you, only to have it respond with things like “No Restore Points Found” or the like.
- You’re still not sure the malware is gone. System Restore doesn’t restore everything, and those things it does not restore remain infected if they were, in fact, infected to begin with.
Try System Restore if you like – be sure to run full and updated anti-malware scans thereafter – but it’s not something I feel at all confident relying on.
As for me … I’m moving my toothbrush. 🙂
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,