Activity 1.4.

5: Identifying Top Security Vulnerabilities

Learning Objectives

Upon completion of this activity, you will be able to:

• Use the SANS site to quickly identify Internet security threats.

• Explain how threats are organized.
• List several recent security vulnerabilities.
• Use the SANS links to access other security-related information.

Background

One of the most popular and trusted sites related to defending against
computer and network security
Threats is SANS. SANS stands for SysAdmin, Audit, Network, Security.
SANS contains several components, each a major contributor to
information security. For additional information about the SANS site, go
to http: //www.sans.org/, and select items from the Resources menu.
How can a corporate security administrator quickly identify security
threats? SANS and the FBI have compiled their list of the top 20 Internet
Security Attack Targets at http://www.sans.org/top20/. The list is
regularly updated with information formatted by:

• Operating Systems—Windows, Unix/Linux, MAC

• Applications—Cross-platform, including web, database, Peer-to-Peer,
instant messaging, media players, DNS servers, backup software, and
management servers.
• Network Devices—Network infrastructure devices (routers, switches,
etc.), VoIP devices
• Human Elements—Security policies, human behavior, personnel
issues.
• Special Section—Security issues not related to any of the above
categories.

Scenario

This lab will introduce students to computer security issues

vulnerabilities. The SANS web site will be used as a tool for threat
vulnerability identification, understanding, and defense.
This lab must be completed outside of the Cisco lab from a computer
with Internet access.
Estimated completion time is one hour.

CCNA Exploration
Network Fundamentals:
Living in a Network-Centric World Activity 1.4.5 Identifying Top Security
Vulnerabilities
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights
reserved. This document is Cisco Public Information. Page 2 of 4
Task 1: Locate the SANS Resources.

Step 1: Open the SANS Top 20 List.

Using a web browser, go to URL http://www.sans.org. On the resources
menu, choose top 20 list,
Shown in Figure 1.

Figure 1. SANS Menu

Client-side Vulnerabilities in:

C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players
Server-side Vulnerabilities in:
S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software
Security Policy and Personnel:
H1. Excessive User Rights and Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable Media
Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs
Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks
The SANS Top­20 Internet Security Attack Targets list is organized by category. An 
identifying letter
Indicates the category type, and numbers separate category topics. Router and 
switch topics fall under the Network Devices category, N. There are two major 
hyperlink topics:

N1. VoIP Servers and Phones
N2. Network and Other Devices Common Configuration Weaknesses

Step 2: Click hyperlink N2. Network and Other Devices

Common Configuration Weaknesses to jump to this topic.

Task 2: Review the SANS Resources.

Step 1: Review the contents of N2.2 Common Default

Configuration Issues.
For example, N.2.2.2 (in January 2007) contains information about threats 
associated with default  accounts and values. A Google search on “wireless router 
passwords” returns links to multiple sites that publish a list of wireless router default 
administrator account names and passwords. Failure to change the default 
password on these devices can lead to compromise and vulnerability by attackers.

Step 2: Note the CVE references.

The last line under several topics references Common Vulnerability Exposure 
(CVE). The CVE name is linked to the National Institute of Standards and 
Technology (NIST) National Vulnerability Database (NVD), sponsored by the 
Department of Homeland Security (DHS) National Cyber Security Division and US­
CERT, which contains information about the vulnerability.
CCNA Exploration

Network Fundamentals:
Living in a Network­Centric World Activity 1.4.5 Identifying Top Security 
Vulnerabilities

Task 3: Collect Data.

The remainder of this lab walks you through a vulnerability investigation and 
solution.
Step 1: Choose a topic to investigate, and click on an example
CVE hyperlink.
Note: Because the CVE list changes, the current list may not contain the same 
vulnerabilities as those in January 2007.
The link should open a new web browser connected to http://nvd.nist.gov/ and the 
vulnerability summary page for the CVE.

Rta:

C1. Web Browsers

C1.1 Description
Microsoft Internet Explorer is the world's most popular web browser and is installed by default on every
Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities
that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical
issues are the ones that lead to remote code execution without any user interaction when a user visits a
malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer
flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in
other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past
year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have
been discovered. These are also being exploited via Internet Explorer.
Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of
vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities.
Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that
can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting
the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s)
based on which browser the potential victim is using.
With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser
Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and
documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or
Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be
aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins
introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web
sites.
In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet
Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By
creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on
vulnerable systems.
While some plug-ins such as Adobe Reader and Quicktime perform version checks and provide an update
feature, these are often bothersome and ignored by users. It is often also difficult to detect which version of
a plug-in is installed. For example, systems may have different versions of Shockwave installed for reasons
of backward compatibility, but the user cannot easily discover which version or versions are running.
These flaws have been widely exploited to install spyware, adware and other malware on users' systems.
The spoofing flaws have been leveraged to conduct phishing attacks. In some cases, these vulnerabilities
were zero-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed. Many
reported plug-ins were also widely exploited by malicious web sites before patches were made available by
the vendor.
In 2007 alone, Microsoft has released multiple updates for Internet Explorer.

• Cumulative Security Update for Internet Explorer (939653) (MS07-057)

• Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) (MS07-050)
• Cumulative Security Update for Internet Explorer (937143) (MS07-045)
• Cumulative Security Update for Internet Explorer (933566) (MS07-033)
• Vulnerabilities in GDI Could Allow Remote Code Execution (925902) (MS07-017)
• Cumulative Security Update for Internet Explorer (931768) (MS07-027)
• Cumulative Security Update for Internet Explorer (928090) (MS07-016)
• Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) (MS07-004)

Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates.
Also note that MS07-017 does not list vulnerabilities in Internet Explorer; however, the most common avenue
of exploitation is via Internet Explorer.
C1.2 Operating Systems Affected
While in theory any web browser on any operating system is vulnerable, the most common web browsers will
tend to be targeted most by attackers. The two most popular web browsers on the Internet today are
Microsoft Internet Explorer and Mozilla Firefox.
Internet Explorer 5.x, 6.x and 7 running on all versions of Windows are affected
Firefox running on any version of compatible operating systems is potentially vulnerable.
As plug-ins are generally used to enable access to third party file formats, many plug-in vulnerabilities apply
to all compatible browsers on all operating systems. Any web browser running on any version of any
operating system is potentially vulnerable.

Step 2: Fill in information about the vulnerability:

Original release date:   2/13/2007
Last revised:  5/16/2007
Source:    US­CERT/NIST
Overview:
__
Microsoft  Internet_Explorer 5.01, 6 y 7 usan objetos  COM de Imjpcksid.dll como 
Activex Controls, el cual permite a los intrusos ejecutar vías desconocidas 
arbitrariamente.

Step 3: Fill in information about the vulnerability impact:

CVSS Severity:  (Version 2.0): 
Base Score: 9.3 (High)
Range:  8.6
Authentication:   No requiere expansión
Impact Type:   Proporciona permiso de administrador, permite completa 
confiabilidad, integridad y violación disponible, permite acercamiento de la 
información no autorizada, permite interrupción del servicio.
The next heading contains links with information about the vulnerability and 
possible solutions.
Step 4: Using the hyperlinks, write a brief description of the
solution as found on those pages.

 Rta/: Aplicar actualizaciones de Microsoft con los boletines de seguridad , a la vez 
estos paquetes actualizados se adquieren desde los sistemas de distribución de 
los servicios actualizados de los servidores de Windows ( WS­US). 
CCNA Exploration
Network Fundamentals:
Living in a Network­Centric World Activity 1.4.5 Identifying Top Security 
Vulnerabilities

Task 4: Reflection

The number of vulnerabilities to computers, networks, and data continues to 
increase. The governments have dedicated significant resources to coordinating 
and disseminating information about the vulnerability and possible solutions. It 
remains the responsibility of the end user to implement the solution. Think of
Ways that users can help strengthen security. Think about user habits that create 
security risks.
Rta/:
• Mantener actualizado el equipo.
• Descargar archivos de paginas confiables.
• Instalar Software originales.
• Activar las actualizaciones internas del sistema operativo (firewall, scan 
diario, antivirus actualizado).
• Manejar el Parental Control.

Task 5: Challenge

Try to identify an organization that will meet with us to explain how vulnerabilities 
are tracked and solutions applied. Finding an organization willing to do this may be 
difficult, for security reasons, but will benefits students, who will learn how 
vulnerability mitigation is accomplished in the world. It will also give representatives 
of the organization an opportunity to meet the class and conduct informal intern 
interviews.