Chapter 30 Β· Quiz

OS Vulnerabilities Quiz

Multiple choice, matching, analysis, and evaluation questions.

Part A β€” Multiple Choice

Q1
What makes operating systems such a high-priority target for attackers?
βœ… Correct: B. The universality of operating systems β€” every device runs one β€” combined with their complexity (tens of millions of lines of code) makes them the highest-value target. One vulnerability in a widely-deployed OS version affects millions of systems simultaneously.
Q2
What is Patch Tuesday?
βœ… Correct: C. Patch Tuesday is Microsoft's second-Tuesday-of-the-month scheduled update cycle. Other vendors follow similar schedules. The predictability helps organizations plan testing and deployment β€” but also tells attackers exactly when new vulnerability details will be published.
Q3
An attacker already has limited user access to a Windows workstation. They exploit a vulnerability that grants them SYSTEM-level access without any additional credentials. Which vulnerability category does this represent?
βœ… Correct: C. Elevation of Privilege vulnerabilities allow an attacker to gain higher system access than they were granted. This is a two-stage attack pattern: gain initial limited access (user account), then use EoP to escalate to administrator or SYSTEM level.
Q4
A patch was deployed to 200 workstations. The deployment console shows all 200 machines as "Patch Installed." However, 47 machines still show a reboot-pending flag. What is the security status of those 47 machines?
βœ… Correct: B. Core OS patches β€” especially those affecting the kernel, drivers, or security subsystems β€” do not take effect until a system restarts. Old, vulnerable code remains running in memory until the restart. "Installed" and "protected" are different states. Patch management must track restart-pending status separately.
Q5
A security patch is released for a critical Remote Code Execution vulnerability. A system administrator decides to wait two weeks before deploying it to allow thorough testing. What is the PRIMARY risk of this delay?
βœ… Correct: C. Patch release reveals the vulnerability's existence to attackers. They reverse engineer the patch to identify the exact flaw and build exploit code. The window between patch release and working exploit availability can be hours to days. Every day of delay is a day the system is a known target.

Part B β€” Matching

Match each vulnerability type to what it does.

VULNERABILITY TYPE

Remote Code Execution
Elevation of Privilege
Security Feature Bypass
Information Disclosure

WHAT IT DOES

Exposes sensitive data β€” memory contents, credentials, or configuration β€” to parties who should not have access
Allows an attacker to circumvent built-in OS security controls such as UAC or code signing
Allows an attacker to run arbitrary code on a remote system without prior access or authentication
Allows an attacker to gain higher system privileges than originally granted

Part C β€” Analysis

Q6 β€” Analyze
An organization applies all OS patches immediately on Patch Tuesday without testing. Two months later, a patch breaks a critical line-of-business application, causing a 6-hour outage across all 300 workstations. What should the organization have done differently?
βœ… Correct: B. Staged rollout balances speed with stability. Test environment first, then a small pilot group, then full production. This catches compatibility issues before they affect all systems β€” turning a potential organization-wide outage into a 40-minute restore of the affected test machines.

Part D β€” Evaluation

Q7 β€” Evaluate
A manager argues: "We should delay all patches by 30 days to thoroughly test them. Security is important, but system stability is our first priority." Evaluate this reasoning. Is a uniform 30-day delay the correct approach?
βœ… Correct: C. Patch urgency varies by severity and exploitation status. A critical RCE with active in-the-wild exploitation needs to be patched urgently β€” the risk of the unpatched vulnerability far exceeds the risk of a compatibility issue. A low-severity informational patch can tolerate a longer testing window. The correct policy differentiates by severity, not applies a uniform delay to everything.
0/7
Questions Answered Correctly