Abstract
CVSS is recognized as a de facto standard for categorizing and measuring software vulnerabilities in both how easy for exploitation for the given security bug and how much impact on a system having the vulnerability in a sense of the three security factors. Meanwhile, since the early 2000s, quantitative risk assessments of software systems had been able to be examined thanks to the accumulated enough datasets for a scientific investigation. However, there are still a lot of research attempts not to be taken in a quantitative examination of software risk assessments. In this paper, we are quantitatively analyzing CVSS scores in vulnerabilities from the three most recent Windows products, namely, Windows 7, Windows 8.1 and Windows 10. The result shows that AML vulnerability discovery model represents Windows vulnerability discovery trend reasonably. Furthermore, we found explicitly that, most of the time, security bugs are compromised with no authentication required systems. This result is corresponding with the output from the previous research based on Web browsers.
Highlights
In spite of the fact that operating systems in personal computer is one of the most import software system, still a lot of security bugs are found in all of the major operating systems such as Windows, OSX, Linux, Android, iOS etc
A new metric has been added into the base metric CVSSv3.0, called scope (S) which has an ability capturing a fact whether a vulnerability in one software component to impact resources beyond its means, or privileges
It is measured in terms of, first, Security Requirements of Confidentiality (CR), Integrity (IR), and Availability (AR), and second, modified based metrics which enable analysts to adjust the base metrics according to the modifications that exist within analysts’ environments
Summary
In spite of the fact that operating systems in personal computer is one of the most import software system, still a lot of security bugs are found in all of the major operating systems such as Windows, OSX, Linux, Android, iOS etc. Since operating systems are critical part of computing system they need more care than other types of software applications. Major vendors, such as Microsoft for Windows or Apple for MAC OSX, provide automatic updates, but for Linux systems are not as simple to patch due to the nature of Linux software and its many various distributions. Since the vulnerabilities are a class of defects, a similar measure called vulnerability density [14] can be defined
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
