If Achilles’s heel was his vulnerability in the Iliad, then Paris’s poison tipped arrow was the exploit. Quite literally, an exploit is the device or – more often than not – the method through which an attacker takes advantage of an existing vulnerability in any sort of hardware or software system.
A vulnerability is a weakness. Sometimes these are bugs that arise from honest mistakes made by programmers in the product development lifecycle. Sometimes vulnerabilities are introduced into products intentionally in order to allow ‘backdoor’ access to a product after it has been shipped off to the user. Oftentimes, perhaps most often, they are inevitable byproducts of innovation.
Essentially, as hackers get better tools and learn more and as computers become more powerful, processes and practices that were once considered secure become obsolete.
Think of it like traditional security: before the advent of gun powder, a castle was a nearly impenetrable defense. You build a moat and fill it with alligators (though most people couldn’t swim at the time so alligators may have been a bit excessive) and you pull up the drawbridge when an attacker comes along and you’re kingdom is pretty safe. Then came gun powder and one thing led to another and now an invader can easily lob a cruise missile inside your castle walls and there is precious little that a drawbridge, stone walls, or a moat can do about it.
It’s important to note though that of all vulnerabilities, only a small percentage are dangerous or maliciously useful. Many vulnerabilities are cause for annoyance, like crashes or reboots, and little more. On the other side of the spectrum, there are countless dangerous vulnerabilities that exist but are nearly impossible or just too expensive to exploit. The only vulnerabilities that are of any real value to most attackers are those that allow for remote code execution, which could let an attacker execute malicious code, or escalation of privileges, which essentially gives an attacker all the same rights as a user or admin.
Vulnerabilities are ever-present. I install patches as soon as I can for everything I use. Despite this, I am writing this story right now in a vulnerable Microsoft Word, on a vulnerable Windows machine, with countless tabs opened in a vulnerable browser. Vulnerabilities are always there, it’s just a matter of whether or not anyone has discovered and developed exploits to take advantage of them.
When you think about it, in the computing context, both ‘vulnerability’ and ‘exploit’ mean just exactly what they mean in the larger context. The complicated part is explaining how a specific vulnerability came to exist and what an attacker actually does to exploit it.
In phishing attacks, the vulnerability and the exploit are simple. The vulnerability is human gullibility or our tendency toward naiveté and the exploit is a convincingly worded email.
The reality is that vulnerabilities are always out there – known and unknown – and always will be. Your best recourse is simple: try not to be the weakest gazelle on the savannah. Install your updates, run a strong antivirus product, avoid public Wi-Fi, don’t open sketchy email attachments, and, in general, browse smartly.