The SANS Institute has recently updated its compilation of
the most common IT vulnerabilities. As usual, the list is broken into two
groups: Windows issues and Linux/UNIX issues. This article looks at the list of
Windows threats.


The SANS Top 20 list,
which is developed in cooperation with the FBI’s National Infrastructure
Protection Center, pinpoints the most dangerous and common vulnerabilities as
part of a massive document with lots of interesting details, including a
listing of the most vulnerable TCP/UDP ports.

The vulnerabilities listed are the ones actually seen to be
exploited on a regular basis, which indicates that they are probably the
easiest and least patched threats to exploit.

As mentioned above, this week I want to look at the top 10
Windows-related threats. It’s important to note that the SANS list doesn’t just
list vulnerabilities, it offers detailed suggestions for dealing with them.

  1. The
    top threat is to unpatched or poorly installed Web servers including
    Apache, IIS, and SunOne (iPlanet). Besides requiring periodic updates to
    plug newly discovered holes, the default installations for most Web
    servers are highly insecure. An important point to remember is that server
    software often comes with various demo applications and sample Web sites
    that are not secure and were never intended to be left on a production
    server. This is important even if you don’t run a Web server because the Web
    server software may have been turned on by default—for example, Windows
    2000 installs a very insecure version of IIS 5.0 by default. The best
    policy is to see the SANS report for a way to determine if you are at
  2. The Workstation
    service is the second most common threat exploited by hackers. This
    processes requests for access to files and printers but is vulnerable to a
    stack-smashing attack on Windows 2000, XP (before SP1), and XP 64-bit.
    Patches provided in MS03-049
    for Windows 2000 and MS03-043
    for XP fix these security holes. XP SP2 is thought to be fully protected.
  3. Klez,
    Sircam, and Nimda all took advantage of Windows remote access services to
    spread so rapidly. All operating system versions starting with Windows 95
    are vulnerable to RPC (remote procedure call) attacks, but XP SP2 modifies
    the way RPCs work and is more secure. SANS lumps this Windows threat in
    with NETBIOS and anonymous logon vulnerabilities.
  4. The
    fourth threat in declining order of incidents involves the various
    vulnerabilities contained in the Microsoft SQL Server, which has been
    exploited by Slammer and other worms. SQL Server is required by a number
    of applications and programming tools, so you may not even realize it is
    installed. For example, Visual Studio .NET, Access 2002, and Office XP all
    install some vulnerable version of the MSDE desktop engine, which is
    essentially SQL Sever “lite.” For example, you must install SQL Server on
    a Tablet PC just to run a Delorme GPS navigation system.
  5. The
    fifth most frequent exploit is our old friend the weak password or poor
    authentication. Open Source applications, in particular, often store
    passwords using a weak or well-known hashing algorithm. Windows NT, 2000,
    and XP all store some passwords using the weak LM hash (LANMAN), which
    only allows relatively short passwords, doesn’t recognize different cases,
    and is otherwise easy to crack. Windows Server 2003 doesn’t install LM
    hash by default. A legacy OS on your network may require the use of the LM
    hash. There are various Microsoft KBAs that address this threat and show
    how to disable LM authentication or work around compatibility problems.
    Remember, if you have the LM hash operating, even the strongest password
    will be truncated and otherwise weakened by the encryption tool itself.
  1. Internet
    Explorer has fallen to the number six rank among the most common Windows
    threats. It’s important to note that many of the vulnerabilities listed by
    SANS also apply to versions of Opera, Mozilla, Firefox, and Navigator, so
    merely switching to an alternative browser will only reduce, not
    eliminate, the threats. Still, IE has had 153 vulnerabilities reported
    since April 2001 (according to the Security Focus Archive) so
    it is still considered to be by far the least secure Web browser. There
    have been 15 IE vulnerabilities reported so far in 2004, but Mozilla has
    also received seven Secunia Advisories, Navigator two, and Opera eight
    since January. The best protection is to never surf the net while logged
    on with high privileges (especially Administrator privileges) and to shut
    off ActiveX whenever possible. Windows XP SP2 has improved ActiveX
    security control.
  2. The
    use of peer-to-peer networking systems to share files has grown in
    popularity, which opens up systems to a number of serious threats. P2P is
    ranked seventh in this SANS top threat listing. The best and probably only
    real protection is to never use KaZaa, Gnutella, or any other P2P software
    on a corporate network. Enforcing this rule can be difficult, so use your
    firewall to block commonly used ports such as TCP 8888, 8875, and 6699 for
    Napster; TCP 4661 and 4662, along with UDP 4665 for eDonkey; and TCP/UDP
    6345, 6346, 6347, and 6348 for Gnutella. Unfortunately, KaZaa uses TCP 80,
    so it can’t be blocked as easily. Check out this link
    for other useful information on P2P.
  3. Eighth
    on this year’s list is the buffer overrun vulnerability in the Local
    Security Authority Subsystem Service (LSASS), which is used for
    authentication and Active Directory. Sasser and Korgo worms exploited this
    vulnerability, which affects Windows 2000, XP, XP 64-bit, and Windows Server
    2003 systems. Port blocking is probably the best defense—see the report
    for details.
  4. It may
    surprise many to see that Outlook and Outlook Express are only ninth on
    the list of most commonly exploited items. That’s only because the SANS
    survey is of business systems. Outlook and OE are probably still king of
    vulnerabilities in home systems that use the mail client. I don’t use
    Outlook for anything but, if you do, make certain you keep it patched. If
    you don’t use it, remote it from Windows, but make a note to do this every
    time you install a new service pack or otherwise upgrade the system
    because Outlook Express may be re-installed without warning. Blocking
    certain risky file types is a good solution, but requires editing the
    Registry. Again, see the report for details.
  5. The
    final big Windows threat of the past six months has been in the growing
    use of instant messaging in business settings. Windows Messenger has
    become thoroughly integrated into Windows and supports the MSN Messenger
    network, while other IM systems such as Yahoo and AOL have becoming widely
    used on many Windows systems. There is no complete protection available
    for IM threats but keeping your access list very tightly controlled and
    updating the IM software regularly will help.

Final word

The SANS Top 20 update is always of great interest and
significance to security specialists, IT professionals, and IT Managers, and
this latest edition is no different. Please don’t assume that I have included
all the important information found in this massive compilation of
vulnerabilities. In particular, the SANS list provides a goldmine of
information on determining whether you are vulnerable (in many instances such
as with SQL Server, this isn’t at all obvious) and detailed help in plugging
the holes.

A word to the wise: everyone occasionally makes a mistake or
is caught by a new vulnerability but, if it costs your company money, it will
be difficult to explain to your superiors just why the systems under your control
were vulnerable to these well-known and widely exploited threats. You can use
this list as a baseline of what to protect and make sure you keep it protected.

Also watch for …

  • MS04-039
    “Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow
    Internet Content Spoofing” is only rated “important” by Microsoft and I
    don’t see any great threat here either. This only affects Proxy Server 2.0
    and Internet Security and Acceleration (ISA) Server 2000.
  • San
    Jose, California-based Finjan
    , an international security firm, has given Microsoft details
    of what the company says are 10 serious vulnerabilities still existing in
    Windows XP even after patching with SP2. One threat lets attackers upload
    and run random programs. No further details are available but the vendor
    is said to be working with Microsoft to fix the problems.
  • Secunia has published a report of another variant
    of a weakness in Internet Explorer 6, which lets attackers spoof the URLs
    displayed in the status bar. The threat is detailed in the report but the
    risk is relatively low.