In the following example, which of these is the “exploit”?
Today, Microsoft Corporation released a security notice. It detailed how a person could bring down
the Windows 2003 Server operating system, by sending malformed packets to it. They detailed
how this malicious process had been automated using basic scripting. Even worse, the new
automated method for bringing down the server has already been used to perform denial of
service attacks on many large commercial websites.
Select the best answer.

A.
Microsoft Corporation is the exploit.

B.
The security “hole” in the product is the exploit.

C.
Windows 2003 Server

D.
The exploit is the hacker that would use this vulnerability.

E.
The documented method of how to use the vulnerability to gain unprivileged access.

Explanation:

Microsoft is not the exploit,but if Microsoft documents how the vulnerability can be used to gain
unprivileged access,they are creating the exploit. If they just say that there is a hole in the
product,then it is only a vulnerability. The security “hole” in the product is called the “vulnerability”.
It is documented in a way that shows how to use the vulnerability to gain unprivileged access,and
it then becomes an “exploit”. In the example given,Windows 2003 Server is the TOE (Target of
Evaluation). A TOE is an IT System,product or component that requires security evaluation or is
being identified. The hacker that would use this vulnerability is exploiting it,but the hacker is not
the exploit. The documented method of how to use the vulnerability to gain unprivileged access is
the correct answer.