The SANS Institute has recently updated its compilation of
the most common IT vulnerabilities. As usual, the list is broken into two
groups: Windows issues and Linux/UNIX issues. This article looks at the list of
Windows threats.
Details
The SANS Top 20 list,
which is developed in cooperation with the FBI’s National Infrastructure
Protection Center, pinpoints the most dangerous and common vulnerabilities as
part of a massive document with lots of interesting details, including a
listing of the most vulnerable TCP/UDP ports.
The vulnerabilities listed are the ones actually seen to be
exploited on a regular basis, which indicates that they are probably the
easiest and least patched threats to exploit.
As mentioned above, this week I want to look at the top 10
Windows-related threats. It’s important to note that the SANS list doesn’t just
list vulnerabilities, it offers detailed suggestions for dealing with them.
- The
top threat is to unpatched or poorly installed Web servers including
Apache, IIS, and SunOne (iPlanet). Besides requiring periodic updates to
plug newly discovered holes, the default installations for most Web
servers are highly insecure. An important point to remember is that server
software often comes with various demo applications and sample Web sites
that are not secure and were never intended to be left on a production
server. This is important even if you don’t run a Web server because the Web
server software may have been turned on by default—for example, Windows
2000 installs a very insecure version of IIS 5.0 by default. The best
policy is to see the SANS report for a way to determine if you are at
risk. - The Workstation
service is the second most common threat exploited by hackers. This
processes requests for access to files and printers but is vulnerable to a
stack-smashing attack on Windows 2000, XP (before SP1), and XP 64-bit.
Patches provided in MS03-049
for Windows 2000 and MS03-043
for XP fix these security holes. XP SP2 is thought to be fully protected. - Klez,
Sircam, and Nimda all took advantage of Windows remote access services to
spread so rapidly. All operating system versions starting with Windows 95
are vulnerable to RPC (remote procedure call) attacks, but XP SP2 modifies
the way RPCs work and is more secure. SANS lumps this Windows threat in
with NETBIOS and anonymous logon vulnerabilities. - The
fourth threat in declining order of incidents involves the various
vulnerabilities contained in the Microsoft SQL Server, which has been
exploited by Slammer and other worms. SQL Server is required by a number
of applications and programming tools, so you may not even realize it is
installed. For example, Visual Studio .NET, Access 2002, and Office XP all
install some vulnerable version of the MSDE desktop engine, which is
essentially SQL Sever “lite.” For example, you must install SQL Server on
a Tablet PC just to run a Delorme GPS navigation system. - The
fifth most frequent exploit is our old friend the weak password or poor
authentication. Open Source applications, in particular, often store
passwords using a weak or well-known hashing algorithm. Windows NT, 2000,
and XP all store some passwords using the weak LM hash (LANMAN), which
only allows relatively short passwords, doesn’t recognize different cases,
and is otherwise easy to crack. Windows Server 2003 doesn’t install LM
hash by default. A legacy OS on your network may require the use of the LM
hash. There are various Microsoft KBAs that address this threat and show
how to disable LM authentication or work around compatibility problems.
Remember, if you have the LM hash operating, even the strongest password
will be truncated and otherwise weakened by the encryption tool itself.
- Internet
Explorer has fallen to the number six rank among the most common Windows
threats. It’s important to note that many of the vulnerabilities listed by
SANS also apply to versions of Opera, Mozilla, Firefox, and Navigator, so
merely switching to an alternative browser will only reduce, not
eliminate, the threats. Still, IE has had 153 vulnerabilities reported
since April 2001 (according to the Security Focus Archive) so
it is still considered to be by far the least secure Web browser. There
have been 15 IE vulnerabilities reported so far in 2004, but Mozilla has
also received seven Secunia Advisories, Navigator two, and Opera eight
since January. The best protection is to never surf the net while logged
on with high privileges (especially Administrator privileges) and to shut
off ActiveX whenever possible. Windows XP SP2 has improved ActiveX
security control. - The
use of peer-to-peer networking systems to share files has grown in
popularity, which opens up systems to a number of serious threats. P2P is
ranked seventh in this SANS top threat listing. The best and probably only
real protection is to never use KaZaa, Gnutella, or any other P2P software
on a corporate network. Enforcing this rule can be difficult, so use your
firewall to block commonly used ports such as TCP 8888, 8875, and 6699 for
Napster; TCP 4661 and 4662, along with UDP 4665 for eDonkey; and TCP/UDP
6345, 6346, 6347, and 6348 for Gnutella. Unfortunately, KaZaa uses TCP 80,
so it can’t be blocked as easily. Check out this link
for other useful information on P2P. - Eighth
on this year’s list is the buffer overrun vulnerability in the Local
Security Authority Subsystem Service (LSASS), which is used for
authentication and Active Directory. Sasser and Korgo worms exploited this
vulnerability, which affects Windows 2000, XP, XP 64-bit, and Windows Server
2003 systems. Port blocking is probably the best defense—see the report
for details. - It may
surprise many to see that Outlook and Outlook Express are only ninth on
the list of most commonly exploited items. That’s only because the SANS
survey is of business systems. Outlook and OE are probably still king of
vulnerabilities in home systems that use the mail client. I don’t use
Outlook for anything but, if you do, make certain you keep it patched. If
you don’t use it, remote it from Windows, but make a note to do this every
time you install a new service pack or otherwise upgrade the system
because Outlook Express may be re-installed without warning. Blocking
certain risky file types is a good solution, but requires editing the
Registry. Again, see the report for details. - The
final big Windows threat of the past six months has been in the growing
use of instant messaging in business settings. Windows Messenger has
become thoroughly integrated into Windows and supports the MSN Messenger
network, while other IM systems such as Yahoo and AOL have becoming widely
used on many Windows systems. There is no complete protection available
for IM threats but keeping your access list very tightly controlled and
updating the IM software regularly will help.
Final word
The SANS Top 20 update is always of great interest and
significance to security specialists, IT professionals, and IT Managers, and
this latest edition is no different. Please don’t assume that I have included
all the important information found in this massive compilation of
vulnerabilities. In particular, the SANS list provides a goldmine of
information on determining whether you are vulnerable (in many instances such
as with SQL Server, this isn’t at all obvious) and detailed help in plugging
the holes.
A word to the wise: everyone occasionally makes a mistake or
is caught by a new vulnerability but, if it costs your company money, it will
be difficult to explain to your superiors just why the systems under your control
were vulnerable to these well-known and widely exploited threats. You can use
this list as a baseline of what to protect and make sure you keep it protected.
Also watch for …
- MS04-039
“Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow
Internet Content Spoofing” is only rated “important” by Microsoft and I
don’t see any great threat here either. This only affects Proxy Server 2.0
and Internet Security and Acceleration (ISA) Server 2000. - San
Jose, California-based Finjan
Software, an international security firm, has given Microsoft details
of what the company says are 10 serious vulnerabilities still existing in
Windows XP even after patching with SP2. One threat lets attackers upload
and run random programs. No further details are available but the vendor
is said to be working with Microsoft to fix the problems. - Secunia has published a report of another variant
of a weakness in Internet Explorer 6, which lets attackers spoof the URLs
displayed in the status bar. The threat is detailed in the report but the
risk is relatively low.
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
