All commercial software has some vulnerabilities which can be exploited as a means of introducing malware. The nature of today’s sophisticated software, and the sheer quantity of code involved, means that it is effectively impossible to guarantee that a software application of any significant level of complexity does not include vulnerabilities.

The word ‘vulnerability’ has a specific meaning in this context – it is any weakness in the software code which can be exploited by a threat actor in order to introduce malware into the system running that software, or otherwise put it under threat. Finding these weaknesses in commercial software is an underworld business in itself – specific details of vulnerabilities in popular applications and operating systems are purchased by malefactors on the dark web for considerable sums. The other arm of this criminal industry is the manufacture of ‘exploits’ – pieces of code designed to exploit these individual vulnerabilities and use them to inject malware into your systems.

Exploiting vulnerabilities in commercial software is how the vast majority of corporate cyber-attacks, even the most complex and sophisticated, originate.