Vulnerabilities in Operating Systems
Digital devices such as smartphones, tablets, and computers play a key part in our life. We use them to perform our financial transactions, check social accounts, and etc. During using these devices, security is a major aspect for us. However, the presence of a vulnerability on these devices can impact our security temporarily. Fortunately, security teams can address and fix the vulnerabilities effectively after discovering them. A vulnerability can be defined as an unexpected part in an installed application that can be used maliciously by an attacker. A vulnerability can be originated from operating system or an application that is running on the operating system.
Vulnerabilities happen in most of operating systems. For instance, some of the common vulnerabilities that have been exploited in Windows operating system are related to IIS (Internet Information Services), MS-SQL (Microsoft SQL), IE (Internet Explorer), etc [1]. A popular network worm that exploited a vulnerabilities in IIS (that is stated in Microsoft Security Bulletin MS01- 033) is ‘CodeRed’ that infected 300,000 systems and affected a large portion of businesses [1].
Another network worm that has exploited a vulnerability on the software package of MS-SQL is Spida [1]. Spida employs the vulnerability that some of installations of MS SQL did not use password for ’SA’ account; thus, using the ’Guest’ account the worm shares itself into the target and in the target system using ’SA’ account (that does not have any password) it accesses its copy to infect the target [1]. In January 2003, another network-based worm, Slammer, based on an estimation infected 75,000 systems in 15 minutes based on a vulnerability in MS-SQL server (a buffer overflow in one of subroutine that handle UDP packets) [1].
Linux operating system has some vulnerabilities; however, the community of Linux tries to identify existing vulnerabilities before their exploitation; fix them by implementing packages; and let developers access them for their further product-development [2]. Furthermore, in comparison with MacOS and Windows operating system in Linux it is the developers’ task to identify when there is a new kernel update, and also to identify new detected vulnerabilities in open source components that they have used in their products [2]. For instance, an important vulnerability in Linux kernel is CVE-2014-2523 when DCCP header pointer had not been used correctly; thus, it could provide the possibility of denial service and the execution of arbitrary codes by attackers when a call has been made into some functions such as dccp new using a DCCP packer [2].
The concept of vulnerability also exists in web-based applications. There are various kinds of web-based applications that each of us use daily; thus, addressing the issue of vulnerabilities in web-based applications is important. Three aspects can be employed to make a priority on web vulnerabilities such as 1) exploit-ability (required material to exploit the vulnerability: low when there is a need for advanced tools and programming techniques, and high when only a web browser is required); 2) detect-ability (based on easiness of detecting the vulnerability: low means the vulnerabilities in source code while high means representing information in URL, etc.); and 3) the impact of vulnerability on the software (high damage when a system crashes and low when it is not important) [3].
The Open Web Application Security Project (OWASP) has collected top ten vulnerabilities such as SQL Injection, Cross Site Scripting (XSS), and etc [3]. In SQL Injection, a SQL statement is manipulated by attackers based on user’s input data to achieve an unauthorized data access or run an unexpected query after tricking a SQL command interpreter using modified inputs [3]. In Cross Site Scripting (XSS), attackers target a victim’s web browser to run an unverified script that is embedded in the web page (on the client side) when there is no validation on the data that has been sent into the browser [3].
Skipping patching of discovered security vulnerabilities is a common type of risks that businesses make while the vulnerabilities can be used by malware [4]. A solution for this issue is a regular handling of new security updates for organizations’ software and their installations on all systems that are running those software [4]. Thus, the installation of fixing updates on the vulnerable systems reduces the possibility of being exploited by attackers.
It is necessary for software developers to know the latest security-based approaches to protect their products against potential vulnerabilities that may impact their products in future. For instance, a good practice for software developers is checking the mechanism of their implemented packages to identify how each function handles unexpected input data.
References
[1] Kaspersky IT Encyclopedia. Vulnerabilities examples. https://encyclopedia.kaspersky.com/knowledge/ vulnerabilities-examples/. Online; accessed 22 August 2020.
[2] Gabriel Avner. The Top 10 Linux Kernel Vulnerabilities You Should Know. https://resources.whitesourcesoftware.com/ blog-whitesource/top-10-linux-kernel-vulnerabilities. Online; accessed 22 August 2020.
[3] Prasanthi Eati. 10 Most Common Web Security Vulnerabilities. https: //www.guru99.com/web-security-vulnerabilities.html. Online; accessed 22 August 2020.
[4] Eric Dosal. Top 9 Cybersecurity Threats and Vulnerabilities. https://www.compuquip.com/blog/ top-5-cybersecurity-threats-and-vulnerabilities. Online;
