SANS updates its list of the Top 10 Windows threats

This edition of The Locksmith provides a breakdown of the latest update to the SANS-FBI list of the top ten most exploited security threats in Windows.

The SANS Institute has recently updated its compilation of the most common IT vulnerabilities. As usual, the list is broken into two groups: Windows issues and Linux/UNIX issues. This article looks at the list of Windows threats.


The SANS Top 20 list, which is developed in cooperation with the FBI's National Infrastructure Protection Center, pinpoints the most dangerous and common vulnerabilities as part of a massive document with lots of interesting details, including a listing of the most vulnerable TCP/UDP ports.

The vulnerabilities listed are the ones actually seen to be exploited on a regular basis, which indicates that they are probably the easiest and least patched threats to exploit.

As mentioned above, this week I want to look at the top 10 Windows-related threats. It's important to note that the SANS list doesn't just list vulnerabilities, it offers detailed suggestions for dealing with them.

  1. The top threat is to unpatched or poorly installed Web servers including Apache, IIS, and SunOne (iPlanet). Besides requiring periodic updates to plug newly discovered holes, the default installations for most Web servers are highly insecure. An important point to remember is that server software often comes with various demo applications and sample Web sites that are not secure and were never intended to be left on a production server. This is important even if you don't run a Web server because the Web server software may have been turned on by default—for example, Windows 2000 installs a very insecure version of IIS 5.0 by default. The best policy is to see the SANS report for a way to determine if you are at risk.
  2. The Workstation service is the second most common threat exploited by hackers. This processes requests for access to files and printers but is vulnerable to a stack-smashing attack on Windows 2000, XP (before SP1), and XP 64-bit. Patches provided in MS03-049 for Windows 2000 and MS03-043 for XP fix these security holes. XP SP2 is thought to be fully protected.
  3. Klez, Sircam, and Nimda all took advantage of Windows remote access services to spread so rapidly. All operating system versions starting with Windows 95 are vulnerable to RPC (remote procedure call) attacks, but XP SP2 modifies the way RPCs work and is more secure. SANS lumps this Windows threat in with NETBIOS and anonymous logon vulnerabilities.
  4. The fourth threat in declining order of incidents involves the various vulnerabilities contained in the Microsoft SQL Server, which has been exploited by Slammer and other worms. SQL Server is required by a number of applications and programming tools, so you may not even realize it is installed. For example, Visual Studio .NET, Access 2002, and Office XP all install some vulnerable version of the MSDE desktop engine, which is essentially SQL Sever "lite." For example, you must install SQL Server on a Tablet PC just to run a Delorme GPS navigation system.
  5. The fifth most frequent exploit is our old friend the weak password or poor authentication. Open Source applications, in particular, often store passwords using a weak or well-known hashing algorithm. Windows NT, 2000, and XP all store some passwords using the weak LM hash (LANMAN), which only allows relatively short passwords, doesn't recognize different cases, and is otherwise easy to crack. Windows Server 2003 doesn't install LM hash by default. A legacy OS on your network may require the use of the LM hash. There are various Microsoft KBAs that address this threat and show how to disable LM authentication or work around compatibility problems. Remember, if you have the LM hash operating, even the strongest password will be truncated and otherwise weakened by the encryption tool itself.
  1. Internet Explorer has fallen to the number six rank among the most common Windows threats. It's important to note that many of the vulnerabilities listed by SANS also apply to versions of Opera, Mozilla, Firefox, and Navigator, so merely switching to an alternative browser will only reduce, not eliminate, the threats. Still, IE has had 153 vulnerabilities reported since April 2001 (according to the Security Focus Archive) so it is still considered to be by far the least secure Web browser. There have been 15 IE vulnerabilities reported so far in 2004, but Mozilla has also received seven Secunia Advisories, Navigator two, and Opera eight since January. The best protection is to never surf the net while logged on with high privileges (especially Administrator privileges) and to shut off ActiveX whenever possible. Windows XP SP2 has improved ActiveX security control.
  2. The use of peer-to-peer networking systems to share files has grown in popularity, which opens up systems to a number of serious threats. P2P is ranked seventh in this SANS top threat listing. The best and probably only real protection is to never use KaZaa, Gnutella, or any other P2P software on a corporate network. Enforcing this rule can be difficult, so use your firewall to block commonly used ports such as TCP 8888, 8875, and 6699 for Napster; TCP 4661 and 4662, along with UDP 4665 for eDonkey; and TCP/UDP 6345, 6346, 6347, and 6348 for Gnutella. Unfortunately, KaZaa uses TCP 80, so it can't be blocked as easily. Check out this link for other useful information on P2P.
  3. Eighth on this year's list is the buffer overrun vulnerability in the Local Security Authority Subsystem Service (LSASS), which is used for authentication and Active Directory. Sasser and Korgo worms exploited this vulnerability, which affects Windows 2000, XP, XP 64-bit, and Windows Server 2003 systems. Port blocking is probably the best defense—see the report for details.
  4. It may surprise many to see that Outlook and Outlook Express are only ninth on the list of most commonly exploited items. That's only because the SANS survey is of business systems. Outlook and OE are probably still king of vulnerabilities in home systems that use the mail client. I don't use Outlook for anything but, if you do, make certain you keep it patched. If you don't use it, remote it from Windows, but make a note to do this every time you install a new service pack or otherwise upgrade the system because Outlook Express may be re-installed without warning. Blocking certain risky file types is a good solution, but requires editing the Registry. Again, see the report for details.
  5. The final big Windows threat of the past six months has been in the growing use of instant messaging in business settings. Windows Messenger has become thoroughly integrated into Windows and supports the MSN Messenger network, while other IM systems such as Yahoo and AOL have becoming widely used on many Windows systems. There is no complete protection available for IM threats but keeping your access list very tightly controlled and updating the IM software regularly will help.

Final word

The SANS Top 20 update is always of great interest and significance to security specialists, IT professionals, and IT Managers, and this latest edition is no different. Please don't assume that I have included all the important information found in this massive compilation of vulnerabilities. In particular, the SANS list provides a goldmine of information on determining whether you are vulnerable (in many instances such as with SQL Server, this isn't at all obvious) and detailed help in plugging the holes.

A word to the wise: everyone occasionally makes a mistake or is caught by a new vulnerability but, if it costs your company money, it will be difficult to explain to your superiors just why the systems under your control were vulnerable to these well-known and widely exploited threats. You can use this list as a baseline of what to protect and make sure you keep it protected.

Also watch for …

  • MS04-039 "Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing" is only rated "important" by Microsoft and I don't see any great threat here either. This only affects Proxy Server 2.0 and Internet Security and Acceleration (ISA) Server 2000.
  • San Jose, California-based Finjan Software, an international security firm, has given Microsoft details of what the company says are 10 serious vulnerabilities still existing in Windows XP even after patching with SP2. One threat lets attackers upload and run random programs. No further details are available but the vendor is said to be working with Microsoft to fix the problems.
  • Secunia has published a report of another variant of a weakness in Internet Explorer 6, which lets attackers spoof the URLs displayed in the status bar. The threat is detailed in the report but the risk is relatively low.

Editor's Picks

Free Newsletters, In your Inbox