In-Depth

In Brief

Top 20 Windows/Unix vulnerabilities, Microsoft flaws and fixes

• By Mathew Schwartz
• 10/20/2004

SANS Unveils Top 20 Windows/Unix Vulnerabilities

SANS released its annual list of the top 20 vulnerabilities facing IT managers. The list is designed to help companies target the most damaging vulnerabilities first, thus maximizing their remediation efforts. Conversely, the top 20 vulnerabilities are often the easiest to exploit. Attackers prefer an entrée to corporate networks, and will hammer away again and again at well-known and easy-to-exploit vulnerabilities.

Recent attacks demonstrate when it comes to remediation, there’s still room for improvement. For example, SANS attributes the easy spread of such worms as Blaster, Code Red, and Slammer to well-known yet widely unpatched vulnerabilities. In other words, if companies remediate anything, they should start with the top 20, which details the 10 most-exploited vulnerabilities for both the Windows and Unix platforms.

The top-vulnerabilities list started four years ago when the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a list of the top 10 vulnerabilities. Since then, it’s expanded.

Windows Top 10 Vulnerabilities:

1. Web Servers and Services
2. Workstation Service
3. Windows Remote Access Services
4. Microsoft SQL Server (MSSQL)
5. Windows Authentication
6. Web Browsers
7. File-Sharing Applications
8. LSAS Exposures
9. Mail Client
10. Instant Messaging

Unix/Linux Top 10 Vulnerabilities:

1. 1. BIND Domain Name System
2. Web Server
3. Authentication
4. Version Control Systems
5. Mail Transport Service
6. Simple Network Management Protocol (SNMP)
7. Open Secure Sockets Layer (SSL)
8. Misconfiguration of Enterprise Services NIS/NFS
9. Databases
10. Kernel

For more information, and a more detailed analysis of why, for example, the number one Windows vulnerability is default installations of Web servers and services, see the SANS Web site: http://www.sans.org/top20/

- - -

Microsoft Releases Seven Critical Security Bulletins

Microsoft detailed 10 new vulnerabilities in its October 2004 security bulletin. Seven Windows vulnerabilities are labeled “critical” by Microsoft; three are “important.” Another vulnerability concerns Microsoft Excel.

“This is the most vulnerabilities ever announced by Microsoft since their new monthly release cycle,” notes TippingPoint’s chief technology officer, Marc Willebeek-LeMair.

With Microsoft releasing a patch for the vulnerabilities the same day it announced them, the clock is ticking. “Applying the security patches for these vulnerabilities is critical,” notes Oliver Friedrichs, senior manager for Symantec Security Response. He says the window between public knowledge of a vulnerability and the release of an exploit designed to exploit it is shrinking, leaving security managers with less time to patch. “Between January 1 and June 30, 2004, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days.”

One vulnerability rated “extremely critical” by information provider Secunia concerns Internet Explorer (IE) versions 5.01, 5.5, and 6. It’s a boundary error in Cascading Style Sheet processing, which “can be exploited to cause a buffer overflow via a malicious Web page or HTML e-mail message,” says Secunia, resulting in execution of arbitrary code. Similar methods can be used to attack a PC via a boundary error in the Install Engine (inseng.dll), which would also allow execution of arbitrary code.

More cross-domain security errors exist as well, allowing an attacker to execute scripts in a PC’s “local machine” security zone.

A “canonicalization error,” says Secunia, relating to how double-byte systems display URLs, can be exploited to “spoof information displayed in the address bar.”

For Web sites, an SSL error leaves their SSL cache vulnerable to inappropriate access, or seeing content spoofed on their sites.

On the Windows front, Microsoft says Excel, zipped folders, SMTP, NNTP, and the Windows shell are vulnerable to a variety of attacks, with results ranging from escalated privileges for attackers to denial-of-service to compromised systems. Another vulnerability involves “missing restrictions on several Window Management API functions,” says Secunia. Thus a malicious program could use the API to alter the properties of other programs, even without permission.

Protected kernel memory can also be accessed via a flaw in how the memory is referenced in the Virtual DOS Machine subsystem. A malicious software program could exploit this vulnerability to run arbitrary code at the same permission level the kernel enjoyed.

Again, Microsoft recommends immediate patching.

More information: http://www.microsoft.com/technet/security/bulletin/ms04oct.mspx