These days, PCs often face multifaceted attacks by cybercriminals. PCs need security to prevent incoming intrusions, as well as outbound attacks, like malicious code "phoning home" or worms sending out user information. Attackers often gain easy access to PCs simply by entering through open ports or exploiting common network technologies.
Attacking the perimeter
Both legitimate users and attackers connect to systems via open ports. When PCs are outside the perimeter of corporate LANs, they are especially vulnerable. More open PC ports mean more ways that are possible for attackers to enter systems. Therefore, it is important to control port access on local PCs ensuring they function properly and securely.
Invaders inside
Blocking ports is not a substitute for comprehensive endpoint-security policies and design. Even if PC ports are closed off, attackers exploiting vulnerable network protocols can compromise PCs that are not properly secured. In general, Windows systems have built-in support for most standard networking protocols and, in particular, for Microsoft-specific networking technologies. These are common targets for hackers to exploit.
NetBIOS
File and folder sharing is enabled through a set of APIs, allowing local PC access to resources across Windows networks. The Server Message Block (SMB) protocol and the Common Internet File System (CIFS) protocol enable users to treat remote files and folders as if they were on local PCs. PC owners often create open network shares for colleagues and third parties by making folders or even entire drives readable and writable. Unfortunately, they are also opening access to malware and hackers.Incorrectly configured or unsecured network shares provide an easy avenue for malicious users or programs to modify system files or take complete control of host PCs. For example, the Nimda worm spread quickly by discovering unprotected network shares and placing copies in them.
Anonymous logon
Communication sessions established without credentials (i.e., blank username and password) are often called "null sessions." They are used to share user, group, network share, or password policy information. For example, Windows NT services running as Local System accounts on local computers communicate with other services over networks by establishing null sessions.Also, the SMB protocol has been exploited by attackers to obtain PC system information. User and group information (i.e., username, last logon date, password policy), system configuration information, and certain registry keys all can be accessed using "null session" connections to the NetBIOS Session Service. This system information is used by hackers mounting Password Guessing or Brute Force password attacks against targeted Windows PCs.
Remote procedure calls
Windows operating systems allow programs running on one PC to execute code on remote PCs by using Remote Procedure Calls (RPCs). There are at least three vulnerabilities that have been published that make hackers aware of how to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/LovSAN/MS Blaster and Nachi/Welchia worms. There are also other vulnerabilities that can allow attackers to mount Denial of Service (DoS) attacks against RPC components.
A web of threats
Finally, attackers can even exploit Web browsing. Malicious Web pages can exploit Web-browser vulnerabilities on PCs simply by being viewed. The majority of dangers, like Cross Site Scripting attacks, target the majority of browsers. Enterprises that allow Web-based network access face new threats including disclosure of cookies or local files, execution of local programs or malicious code, or complete takeover of vulnerable PCs. Due to its widespread use throughout business environments, Internet Explorer (IE) is the hacker target of choice by a large margin.
Examples of browser vulnerabilities
- Internet Explorer—Cross Site and Zone Scripting vulnerabilities in IE and improper use of the ActiveX Data Object model allow attackers to bypass security and execute local HTML documents or inject arbitrary script code compromising users' systems. This has been confirmed on fully patched PCs with IE 6.0 and Microsoft Windows XP SP2
- Mozilla/Firefox—There are boundary errors in "nsMsgCompUtils.cpp" that can lead to heap-based buffer overflows when specially crafted emails are forwarded
- Opera—When URLs are opened in new browser windows/frames, the Opera browser is vulnerable to URL Cross Site Scripting due to improper restriction of JavaScript privileges