Affiliation:
1. Department of Electrical Engineering and Computer Science, Howard University, Washington, DC 20059, USA
Abstract
Operating systems play a crucial role in computer systems, serving as the fundamental infrastructure that supports a wide range of applications and services. However, they are also prime targets for malicious actors seeking to exploit vulnerabilities and compromise system security. This is a crucial area that requires active research; however, OS vulnerabilities have not been actively studied in recent years. Therefore, we conduct a comprehensive analysis of OS vulnerabilities, aiming to enhance the understanding of their trends, severity, and common weaknesses. Our research methodology encompasses data preparation, sampling of vulnerable OS categories and versions, and an in-depth analysis of trends, severity levels, and types of OS vulnerabilities. We scrape the high-level data from reliable and recognized sources to generate two refined OS vulnerability datasets: one for OS categories and another for OS versions. Our study reveals the susceptibility of popular operating systems such as Windows, Windows Server, Debian Linux, and Mac OS. Specifically, Windows 10, Windows 11, Android (v11.0, v12.0, v13.0), Windows Server 2012, Debian Linux (v10.0, v11.0), Fedora 37, and HarmonyOS 2, are identified as the most vulnerable OS versions in recent years (2021–2022). Notably, these vulnerabilities exhibit a high severity, with maximum CVSS scores falling into the 7–8 and 9–10 range. Common vulnerability types, including CWE-119, CWE-20, CWE-200, and CWE-787, are prevalent in these OSs and require specific attention from OS vendors. The findings on trends, severity, and types of OS vulnerabilities from this research will serve as a valuable resource for vendors, security professionals, and end-users, empowering them to enhance OS security measures, prioritize vulnerability management efforts, and make informed decisions to mitigate risks associated with these vulnerabilities.
Funder
DoD Center of Excellence in AI and Machine Learning
Subject
Computer Networks and Communications
Reference16 articles.
1. Microsoft (2023, June 01). Windows Secure Channel Denial of Service Vulnerability. Available online: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21813.
2. Research, G.S. (2023, June 01). Linux (Ubuntu)–Other Users Coredumps Can Be Read via Setgid Directory and killpriv Bypass. Available online: https://www.exploit-db.com/exploits/45033.
3. Gorbenko, A., Romanovsky, A., Tarasyuk, O., and Biloborodov, O. (2017, January 23–26). Experience report: Study of vulnerabilities of enterprise operating systems. Proceedings of the 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE), Toulouse, France.
4. Cheikes, B.A., Waltermire, D., Kent, K.A., and Waltermire, D. (2023, June 02). Common Platform Enumeration: Naming Specification Version 2.3, Available online: https://csrc.nist.gov/publications/detail/nistir/7695/final.
5. Peterson, J.L., and Silberschatz, A. (1985). Operating System Concepts, Addison-Wesley Longman Publishing Co., Inc.