All common operating systems, regardless of vendor or platform, have vulnerabilities. Although APTs and nation-state actors might keep vulnerabilities they discover to themselves, most vulnerabilities are well-documented with exploits that are available to the public. On any particular platform, many vulnerabilities have common traits. Vulnerabilities for Windows-based operating systems have the following commonalities:
- All Windows operating systems and most Windows applications are written in some variant of the C programming language, which has no default mechanism for bounds-checking. If developers do not deliberately write bounds-checking and input validation into their code, it can lead to overflows, arbitrary code execution, and escalation of privilege by attackers.
- All systems depend on developers incorporating security best practices, including unit testing as they code. Most developers do not understand how, or have the time, to fully implement secure coding practices. All Windows products are dependent on their administrator to install and maintain them using best practices, including configuring appropriate security controls, changing defaults, shutting off unnecessary services, and applying patches in a timely manner. The failure to do so introduces vulnerabilities.
- Windows is a proprietary product. As such, the general public has no visibility into its source code. Unlike open source products, only developers specifically contracted by Microsoft will vet Windows products before they are released to market. While this leads to a more controlled software assurance process, it also can mean that fewer people have had a chance to review the code for security risks. This can lead to more software bugs escaping notice.
- Windows operating systems are complex, with tens of millions of lines of code. Vulnerabilities continue to be discovered long after the product is released to market. End users are dependent on the vendor to respond to new vulnerabilities with timely patches.
- Microsoft does not attempt to patch every vulnerability. Some of the most notorious exploits were never completely eradicated. Like most vendors, Microsoft sometimes simply releases a new version of their product, rather than try to completely fix the old version. Of course, there are still many installations of old (vulnerable) versions in existence. Additionally, new versions introduce their own vulnerabilities.
- Servers are likely to have more network-based vulnerabilities because they run applications that listen on open ports. Workstations are likely to have more end-user application-based vulnerabilities because end users often do not follow good practices when installing software and maintaining their systems.
- Because Windows uses many standard protocols and technologies, it is vulnerable to cross-platform exploits as well, including POODLE, Heartbleed, XSS, XSRF, and SQL injection.
- As with other products, Windows systems are at dramatically greater risk if the attacker has physical access. This can include plugging in cables to administrative console ports, booting to a different operating system, inserting removable media, and stealing or damaging hardware components.
- A number of Windows vulnerabilities become directly exposed if the user can be socially engineered into opening a malicious web page or infected document.
As a pen tester, you will often be looking for the latest information and tools. Some good places to conduct research on local host vulnerabilities and search for exploits include: