Editing Malware (section)

==Risks==

===Vulnerable software===
A [[Vulnerability (computing)|vulnerability]] is a weakness, [[Design flaw|flaw]] or software bug in an [[Application software|application]], a complete computer, an [[operating system]], or a [[computer network]] that is exploited by malware to bypass defences or [[Privilege escalation|gain privileges]] it requires to run. For example, [[TestDisk|TestDisk 6.4]] or earlier contained a vulnerability that allowed attackers to inject code into Windows.<ref>{{cite book|chapter-url=https://doi.org/10.1109/SISY.2015.7325394|doi=10.1109/SISY.2015.7325394|chapter=Modern binary attacks and defences in the windows environment — Fighting against microsoft EMET in seven rounds|title=2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY)|year=2015|last1=Nemeth|first1=Zoltan L.|pages=275–280|isbn=978-1-4673-9388-1|s2cid=18914754}}</ref> Malware can exploit security defects ([[security bug]]s or [[Software vulnerability|vulnerabilities]]) in the operating system, applications (such as browsers, e.g. older versions of Microsoft Internet Explorer supported by Windows XP<ref>{{cite web|title=Global Web Browser... Security Trends|publisher=Kaspersky lab|date=November 2012|url=http://www.kaspersky.com/images/Kaspersky_Report_Browser_Usage_ENG_Final.pdf|access-date=17 January 2013|archive-date=2 February 2013|archive-url=https://web.archive.org/web/20130202153249/http://www.kaspersky.com/images/Kaspersky_Report_Browser_Usage_ENG_Final.pdf|url-status=dead}}</ref>), or in vulnerable versions of browser plugins such as [[Adobe Flash Player#Security|Adobe Flash Player]], [[Adobe Acrobat#Security|Adobe Acrobat or Reader]], or [[Java SE#Critical security issues with the Java SE plugin|Java SE]].<ref>{{cite web|last=Rashid|first=Fahmida Y.|title=Updated Browsers Still Vulnerable to Attack if Plugins Are Outdated|publisher=pcmag.com|date=27 November 2012|url=http://securitywatch.pcmag.com/none/305385-updated-browsers-still-vulnerable-to-attack-if-plugins-are-outdated|access-date=17 January 2013|archive-url=https://web.archive.org/web/20160409063012/http://securitywatch.pcmag.com/none/305385-updated-browsers-still-vulnerable-to-attack-if-plugins-are-outdated|archive-date=9 April 2016|url-status=dead}}</ref><ref>{{cite web|last=Danchev|first=Dancho|title=Kaspersky: 12 different vulnerabilities detected on every PC|publisher=pcmag.com|date=18 August 2011|url=http://www.zdnet.com/blog/security/kaspersky-12-different-vulnerabilities-detected-on-every-pc/9283|access-date=17 January 2013|archive-date=5 July 2014|archive-url=https://web.archive.org/web/20140705182539/http://www.zdnet.com/blog/security/kaspersky-12-different-vulnerabilities-detected-on-every-pc/9283|url-status=dead}}</ref> For example, a common method is exploitation of a [[buffer overrun]] vulnerability, where software designed to store data in a specified region of memory does not prevent more data than the buffer can accommodate from being supplied. Malware may provide data that overflows the buffer, with malicious [[executable]] code or data after the end; when this payload is accessed it does what the attacker, not the legitimate software, determines.

Malware can exploit recently discovered vulnerabilities before developers have had time to release a suitable [[Patch (computing)|patch]].<ref name=":2" /> Even when new patches addressing the vulnerability have been released, they may not necessarily be installed immediately, allowing malware to take advantage of systems lacking patches. Sometimes even applying patches or installing new versions does not automatically uninstall the old versions.

There are several ways the users can stay informed and protected from security vulnerabilities in software.
Software providers often announce updates that address security issues.<ref>{{cite web|url=https://www.adobe.com/support/security/|title=Adobe Security bulletins and advisories|publisher=Adobe.com|access-date=19 January 2013|archive-date=15 November 2013|archive-url=https://web.archive.org/web/20131115002036/http://www.adobe.com/support/security/|url-status=live}}</ref> 
[[Common Vulnerabilities and Exposures|Common vulnerabilities]] are assigned unique identifiers (CVE IDs) and listed in public databases like the [[National Vulnerability Database]].
Tools like Secunia PSI,<ref>{{cite magazine|last=Rubenking|first=Neil J.|url=https://www.pcmag.com/article2/0,2817,2406767,00.asp|title=Secunia Personal Software Inspector 3.0 Review & Rating|magazine=PCMag.com|access-date=19 January 2013|archive-date=16 January 2013|archive-url=https://web.archive.org/web/20130116064450/http://www.pcmag.com/article2/0,2817,2406767,00.asp|url-status=live}}</ref> free for personal use, can scan a computer for outdated software with known vulnerabilities and attempt to update them.
[[Firewall (computing)|Firewalls]] and [[Intrusion detection system|intrusion prevention systems]] can monitor the network traffic for suspicious activity that might indicate an attack.<ref>{{Cite book|last1=Morales|first1=Jose Andre|last2=Al-Bataineh|first2=Areej|last3=Xu|first3=Shouhuai|last4=Sandhu|first4=Ravi|chapter=Analyzing and Exploiting Network Behaviors of Malware|date=2010|editor-last=Jajodia|editor-first=Sushil|editor2-last=Zhou|editor2-first=Jianying|title=Security and Privacy in Communication Networks|chapter-url=https://link.springer.com/chapter/10.1007/978-3-642-16161-2_2|series=Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering|volume=50|language=en|location=Berlin, Heidelberg|publisher=Springer|pages=20–34|doi=10.1007/978-3-642-16161-2_2|isbn=978-3-642-16161-2|access-date=2 December 2021|archive-date=2 December 2021|archive-url=https://web.archive.org/web/20211202085918/https://link.springer.com/chapter/10.1007/978-3-642-16161-2_2|url-status=live}}</ref>

===Excessive privileges===
Users and programs can be assigned more [[Privilege (computing)|privileges]] than they require, and malware can take advantage of this. For example, of 940 Android apps sampled, one third of them asked for more privileges than they required.<ref>{{Cite book|last1=Felt|first1=Adrienne Porter|author1-link=Adrienne Porter Felt|last2=Chin|first2=Erika|last3=Hanna|first3=Steve|last4=Song|first4=Dawn|last5=Wagner|first5=David|title=Proceedings of the 18th ACM conference on Computer and communications security|chapter=Android permissions demystified|date=2011-10-17|chapter-url=https://doi.org/10.1145/2046707.2046779|series=CCS '11|location=New York, NY, USA|publisher=Association for Computing Machinery|pages=627–638|doi=10.1145/2046707.2046779|isbn=978-1-4503-0948-6|s2cid=895039}}</ref> Apps targeting the [[Android (operating system)|Android]] platform can be a major source of malware infection but one solution is to use third-party software to detect apps that have been assigned excessive privileges.<ref>{{Cite book|last1=Wu|first1=Sha|last2=Liu|first2=Jiajia|title=ICC 2019 - 2019 IEEE International Conference on Communications (ICC)|chapter=Overprivileged Permission Detection for Android Applications|date=May 2019|chapter-url=https://ieeexplore.ieee.org/document/8761572|pages=1–6|doi=10.1109/ICC.2019.8761572|isbn=978-1-5386-8088-9|s2cid=198168673|access-date=1 January 2022|archive-date=21 January 2022|archive-url=https://web.archive.org/web/20220121021339/https://ieeexplore.ieee.org/document/8761572/|url-status=live}}</ref>

Some systems allow all users to make changes to the core components or settings of the system, which is considered [[Administrative privileges|over-privileged]] access today. This was the standard operating procedure for early microcomputer and home computer systems, where there was no distinction between an ''administrator'' or ''root'', and a regular user of the system. In some systems, [[system administrator|non-administrator]] users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status.<ref>{{Cite web|title=Malware, viruses, worms, Trojan horses and spyware|url=https://list.ercacinnican.tk/|access-date=2020-11-14|website=list.ercacinnican.tk|archive-date=5 February 2021|archive-url=https://web.archive.org/web/20210205072901/https://list.ercacinnican.tk/|url-status=dead}}</ref> This can be because users tend to demand more privileges than they need, so often end up being assigned unnecessary privileges.<ref>{{Citation|last1=Mutch|first1=John|title=The Hard and Soft Cost of Apathy|date=2011|url=https://doi.org/10.1007/978-1-4302-3922-2_10|work=Preventing Good People from doing Bad Things: Implementing Least Privilege|pages=163–175|editor-last=Mutch|editor-first=John|place=Berkeley, CA|publisher=Apress|language=en|doi=10.1007/978-1-4302-3922-2_10|isbn=978-1-4302-3922-2|access-date=2021-12-02|last2=Anderson|first2=Brian|editor2-last=Anderson|editor2-first=Brian|archive-date=27 February 2023|archive-url=https://web.archive.org/web/20230227061951/https://link.springer.com/chapter/10.1007/978-1-4302-3922-2_10|url-status=live}}</ref>

Some systems allow code executed by a user to access all rights of that user, which is known as over-privileged code. This was also standard operating procedure for early microcomputer and home computer systems. Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many [[script (computing)|scripting applications]] allow code too many privileges, usually in the sense that when a user [[Executable|executes]] code, the system allows that code all rights of that user.{{Citation needed|date=July 2024|reason=This last sweeping statement needs a citation.}}

===Weak passwords===
A credential attack occurs when a user account with administrative privileges is cracked and that account is used to provide malware with appropriate privileges.<ref>{{Cite book|last1=Singh|first1=Vaishali|last2=Pandey|first2=S. K.|chapter=Revisiting Cloud Security Attacks: Credential Attack|date=2021|editor-last=Rathore|editor-first=Vijay Singh|editor2-last=Dey|editor2-first=Nilanjan|editor3-last=Piuri|editor3-first=Vincenzo|editor4-last=Babo|editor4-first=Rosalina|editor5-last=Polkowski|editor5-first=Zdzislaw|editor6-last=Tavares|editor6-first=João Manuel R. S.|title=Rising Threats in Expert Applications and Solutions|chapter-url=https://link.springer.com/chapter/10.1007/978-981-15-6014-9_39|series=Advances in Intelligent Systems and Computing|volume=1187|language=en|location=Singapore|publisher=Springer|pages=339–350|doi=10.1007/978-981-15-6014-9_39|isbn=978-981-15-6014-9|s2cid=224940546|access-date=2 December 2021|archive-date=4 March 2022|archive-url=https://web.archive.org/web/20220304031316/https://link.springer.com/chapter/10.1007/978-981-15-6014-9_39|url-status=live}}</ref> Typically, the attack succeeds because the weakest form of account security is used, which is typically a short password that can be cracked using a [[Dictionary attack|dictionary]] or [[Brute-force attack|brute force]] attack. Using [[strong password]]s and enabling [[Multi-factor authentication|two-factor authentication]] can reduce this risk. With the latter enabled, even if an attacker can crack the password, they cannot use the account without also having the token possessed by the legitimate user of that account.

===Use of the same operating system===
Homogeneity can be a vulnerability. For example, when all computers in a [[Computer network|network]] run the same operating system, upon exploiting one, one [[Computer worm|worm]] can exploit them all:<ref name="UKan">"LNCS 3786 – Key Factors Influencing Worm Infection", U. Kanlayasiri, 2006, web (PDF): [https://doi.org/10.1007%2F11604938_5 SL40-PDF] {{Webarchive|url=https://web.archive.org/web/20230227061952/https://link.springer.com/chapter/10.1007/11604938_5|date=27 February 2023}}.</ref> In particular, [[Microsoft Windows]] or [[Mac OS X]] have such a large share of the market that an exploited vulnerability concentrating on either operating system could subvert a large number of systems. It is estimated that approximately 83% of malware infections between January and March 2020 were spread via systems running [[Windows 10]].<ref>{{Cite web|last=Cohen|first=Jason|date=2020-08-28|title=Windows Computers Account for 83% of All Malware Attacks in Q1 2020|url=https://au.pcmag.com/encryption/68294/windows-computers-account-for-83-of-all-malware-attacks-in-q1-2020|access-date=2021-12-02|website=PCMag Australia|language=en-au|archive-date=2 December 2021|archive-url=https://web.archive.org/web/20211202085917/https://au.pcmag.com/encryption/68294/windows-computers-account-for-83-of-all-malware-attacks-in-q1-2020|url-status=live}}</ref> This risk is mitigated by segmenting the networks into different [[subnetwork]]s and setting up [[Firewall (computing)|firewalls]] to block traffic between them.<ref>{{Cite book|last1=Wagner|first1=Neal|last2=Şahin|first2=Cem Ş.|last3=Winterrose|first3=Michael|last4=Riordan|first4=James|last5=Pena|first5=Jaime|last6=Hanson|first6=Diana|last7=Streilein|first7=William W.|title=2016 IEEE Symposium Series on Computational Intelligence (SSCI)|chapter=Towards automated cyber decision support: A case study on network segmentation for security|date=December 2016|chapter-url=https://ieeexplore.ieee.org/document/7849908|pages=1–10|doi=10.1109/SSCI.2016.7849908|isbn=978-1-5090-4240-1|s2cid=9065830|access-date=1 January 2022|archive-date=2 December 2021|archive-url=https://web.archive.org/web/20211202091053/https://ieeexplore.ieee.org/document/7849908/|url-status=live}}</ref><ref>{{Cite book|last1=Hemberg|first1=Erik|last2=Zipkin|first2=Joseph R.|last3=Skowyra|first3=Richard W.|last4=Wagner|first4=Neal|last5=O'Reilly|first5=Una-May|title=Proceedings of the Genetic and Evolutionary Computation Conference Companion|chapter=Adversarial co-evolution of attack and defense in a segmented computer network environment|date=2018-07-06|chapter-url=https://doi.org/10.1145/3205651.3208287|series=GECCO '18|location=New York, NY, USA|publisher=Association for Computing Machinery|pages=1648–1655|doi=10.1145/3205651.3208287|isbn=978-1-4503-5764-7|s2cid=51603533}}</ref>