An exploit is a way to bypass the normal operation of software. A vulnerability is when there is a weakness in a computer system and an exploit is when it is possible to use that flaw.
Let's take an example, there are different padlocks on the market. Padlocks using keys are more secure than coded ones. Why? Quite simply because there are known methods of opening them without the code. This is our "Exploit"
Of particular concern is the fact that a vulnerability has an exploit. This means that an attacker has the possibility via this process to enter your information system (and possibly to send a payload).
Let's take an example, ransomware will use different exploits to break into a system and possibly bounce off other machines to encrypt all of the victim's data . WannaCry and NotPetya are two ransomware strains that build on a known Windows 7 exploit called EternalBlue .
A well-known cybersecurity website lists known exploits: Exploit Database
There is a project linked to this site allowing you to perform these searches via a tool: searchsploit
An exploit kit is simply a collection of exploits. These kits were designed to scan devices for software vulnerabilities. Once spotted, the kit will deploy malicious program to infect the device.
You will find a list of vulnerabilities used by exploit kits on this tool: Exploit Kit
We talk about a zero-day vulnerability, but are there zero-day exploits? The answer is unfortunately yes. A hacker who discovers a vulnerability can immediately create an exploit to take advantage of it (high market value!).
There may be vulnerabilities in the hardware (and firmware) of a device. Meltdown and Specter are two vulnerabilities that have been highlighted due to their potential danger. Meltdown is for Intel processors while Specter is for all processors. Fortunately, there are no exploits yet to take advantage of these vulnerabilities. In the meantime, processor manufacturers have created fixes to limit the risks.
How to protect?
It is important to implement a good Cyber hygiene:
- Always update your software
- Back up your files
- Use only software from trusted publishers
And if you want to go further in preventive, there is the Sherlock solution which is the 1st automated and permanent cyber audit solution, created by ethical hackers and « Made in France »