On mySimon: Bacon Soap
BNET Business Network:
BNET
TechRepublic
ZDNet

February 10th, 2009

Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts

Posted by Dancho Danchev @ 5:49 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Exploit code, Hackers, Malware, Microsoft, Passwords, Patch Watch, Pen testing, Windows Vista

Tags: Security, BeyondTrust, Least Privilege, Security Bulletin, Critical Windows Vulnerability, Dancho Danchev

A recently released report by BeyondTrust entitled “Reducing the Threat from Microsoft Vulnerabilities” indicates that that according to the company’s analysis of all the security bulletins Microsoft published in 2008, 92% of the critical vulnerabilities could have been mitigated by the principle of the least privilege.

Despite the fact that Microsoft’s products continue topping the “successfully exploited charts” in each and every web malware exploitation kit (go through sample infection rates), long gone are the days when Microsoft’s products are targeted exclusively. Nowadays, in order to better optimize a malware campaign, a web malware exploitation kit is targeting a diverse set of client-side software/browser plugins.

Here are some of the key points from the report :

  • 92% of Critical Microsoft vulnerabilities are mitigated by configuring users to operate without administrator rights
  • Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights
  • By removing administrator rights companies will be better protected against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities
  • 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights

Interestingly, starting from the basic fact that the client-side vulnerabilities exploited through the web exploitation kits have had their associated patches for months, sometimes years, end users appear to not only lack understanding of least privilege accounts, but also, still believe that patching their browser is where the self-auditing process both, starts and ends.

Moreover, the ongoing Conficker/Downadup malware campaign which has already passed the 10 million infected hosts milestone, is a very recent example of another phenomenon - the fact that millions of end users and possibly companies, are on purposely using pirated copies of Windows and are therefore using highly vulnerable, yet Internet connected, versions of it. The proof? Symantec’s geolocated graph of infected Conficker hosts speaks for itself, as the countries having the highest software piracy rate, are in fact the ones most heavily hit by the malware.

However, least privilege accounts can always be used by both, legitimate users and software pirates altogether, which when combined with a decent situational awareness in the sense of knowing the current attack tactics, is prone to decrease their chance of getting successfully compromised.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 166 Talkback(s)
Rumor not fact
I saw this proposed by those outside MS and discussed by MS. But in fact if you install from genuine (unaltered) media, MS lets you get no farther than offering to sell you a legal copy at discount pr... (Read the rest)
Posted by: wellduh Posted on: 03/10/09  (Edited: 03/10/09 @ 08:23) You are currently: a Guest | | Terms of Use
Re:using pirated windows  JMGM | 02/10/09
Well....  daMan25 | 02/10/09
Microsoft will gladly update them.  kozmcrae | 02/10/09
RE: Microsoft will gladly update them.  LSWVN | 02/11/09
They do in the US.  sjbinaz | 02/12/09
They do .... and updates have nothing to do with viruses  goldenpirate@... | 02/13/09
Security holes often = bypassing AV  wellduh | 03/10/09
Rumor not fact  wellduh | 03/10/09
Mis-placed "not" in first sentence.  sjbinaz | 02/12/09
What if the malware is built in?  Heatlesssun | 02/11/09
Actually....  JMGM | 02/13/09
Yup & even w/o SP3 miss some  wellduh | 03/10/09
you're the ignoramous ...  goldenpirate@... | 02/13/09
Really?  JMGM | 02/14/09
Lawsuit for Free Patch & Support for Pirated  wellduh | 03/10/09
No surprise to those of us in the know.  ye | 02/10/09
Those of us in the know  fr0thy2 | 02/10/09
Re: Those of us in the know  Charles Norrie | 02/11/09
Its exspensive to maintain security on Linux?  Heatlesssun | 02/11/09
And you do that part well.  GuidingLight | 02/11/09
Or Report: 8% of Microsoft critical vulnerabilities...  jasonp@... | 02/10/09
When you write a 100% bug free piece of useable software...  ye | 02/10/09
That's because you're an apologist...  jasonp@... | 02/10/09
So where is your 100% bug free piece of useable software?  ye | 02/10/09
Pony up enough money to hire me...  jasonp@... | 02/10/09
I don't need anything specific. I just want to see...  ye | 02/10/09
You remind me of a bad parent...  jasonp@... | 02/10/09
@jasonp: Where did I say something shouldn't be done right?  ye | 02/10/09
@Ye  fr0thy2 | 02/10/09
re: error free code  Charles Norrie | 02/11/09
@Charles Norrie: We tolerate it because it's reality.  ye | 02/11/09
@Ye : Your reality is merely to jump when Microsoft say.  fr0thy2 | 02/11/09
realist  coffeeshark | 02/10/09
His post had a 3% spelling error rate.  ye | 02/10/09
RE: His post had a 3% spelling error rate.  n0neXn0ne | 02/10/09
WOW  rbettencourt@... | 02/11/09
I'm not getting paid to spellcheck in here...  jasonp@... | 02/10/09
Then your clients are not getting what they're paying for.  ye | 02/10/09
Like I said...  jasonp@... | 02/10/09
@jasonp: Oh the irony! What ever happened to "something worth doing...  ye | 02/10/09
As I pointed out in my initial response...  jasonp@... | 02/10/09
@jasonp: Completely and 100% IRRELEVANT!  ye | 02/10/09
You're a pointless little Lemming Ye.  fr0thy2 | 02/10/09
Ah, the Lemming speaks  GuidingLight | 02/11/09
Why not eat the latest and greatest doggy doo for lunch tonight?  fr0thy2 | 02/10/09
Keep wanting 100% perfect software  Charles Norrie | 02/11/09
A TV is much more simplistic than a general purpose computer.  ye | 02/11/09
Ye truly believes...  jasonp@... | 02/11/09
@jasonp: Then by all means put up or shut up.  ye | 02/11/09
When you speak for a company that owns 89% of the World's computers.  kozmcrae | 02/10/09
I doesn't  Charles Norrie | 02/11/09
MS owns them does it ?  Alan Smithie | 02/11/09
Re: When you write 100% bug-free...  Charles Norrie | 02/11/09
Let's see the code.  ye | 02/11/09
You think so do ya  rbettencourt@... | 02/11/09
An aside comment.  sjbinaz | 02/12/09
Good cacth  rbettencourt@... | 02/16/09
OK, if 8% is considered a "failure rate"...  MGP2 | 02/10/09
Of course...  jasonp@... | 02/10/09
OS X has shown UNIX can do very well on the desktop.  ye | 02/10/09
Almost...  jasonp@... | 02/10/09
Market share is irrelevant. You're arguing UNIX isn't suitable...  ye | 02/10/09
"Market share is irrelevant"  fr0thy2 | 02/10/09
Ok moron...  jasonp@... | 02/11/09
@jasonp: No need to refer to fr0thy2 that way.  ye | 02/11/09
RE: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts  Loverock Davidson | 02/10/09
Huh?  MyMac | 02/10/09
8 percent is very very low  Loverock Davidson | 02/10/09
8 percent is very very low, huh?  n0neXn0ne | 02/10/09
8% *is* very low...  wolf_z | 02/10/09
You're absolutely correct...  jasonp@... | 02/10/09
of locks and ...locks  tripolitan | 02/10/09
Um...  wolf_z | 02/10/09
Yes it is (NT)  Loverock Davidson | 02/10/09
That is 8% of what?  sjbinaz | 02/12/09
I bet 8% is inline or better than other operating systems.  ye | 02/10/09
lol I had mac classic  jdbuk | 02/10/09
Good luck with that  Chad_z | 02/10/09
Vista already does this by default.  ye | 02/10/09
Still doesn't help...  olePigeon | 02/10/09
always been a problem  mdemuth | 02/10/09
How UAC really acts  wolf_z | 02/10/09
It helps a lot.  ye | 02/10/09
The behavior is the same in Ubuntu but different in kubuntu  InAction Man | 02/10/09
So the behavior is inconsistent with Linux because...  ye | 02/10/09
No, it depends on how you choose to configure it  InAction Man | 02/10/09
@InAction Man: It's exactly what I said:  ye | 02/10/09
@ye: You are right  InAction Man | 02/10/09
@InAction Man: Doesn't work in the CLI either:  ye | 02/10/09
You must use sudo (and see if /etc/sudoers has the follwing line)  InAction Man | 02/10/09
@InAction Man: It does not. But would be ineffective even if it did:  ye | 02/10/09
not "cp ..", it's "sudo cp ..." (nt)  InAction Man | 02/10/09
@InAction Man: That's essentially manual UAC.  ye | 02/10/09
I can't see nothing wrong in that (nt)  InAction Man | 02/10/09
Only works some of the time, and it's not just software...  olePigeon | 02/10/09
Then the application is broken. This isn't a Windows problem.  ye | 02/10/09
Then you need to speak to the ISV  de-void | 02/10/09
problem is....  daMan25 | 02/10/09
MS research confirms your view.  ye | 02/10/09
People will never accept that  InAction Man | 02/10/09
I've always maintained:  ye | 02/10/09
I don't know the exact formula  InAction Man | 02/10/09
Then you would be more the exception than the norm.  ye | 02/10/09
I used other forms of protection on windows  InAction Man | 02/10/09
@InAction Man: Agreed 100%. Typically...  ye | 02/10/09
Why you insist on providing us with an endless amount of idiocy is a  InAction Man | 02/10/09
@InAction Man: I was thinking the exact same thing about you!  ye | 02/10/09
I wouldn't dare fighting you in your own game, you would win very easily  InAction Man | 02/10/09
@InAction Man: Not every time, but most. Since I know both...  ye | 02/10/09
Works for Mac OS X. [nt]  olePigeon | 02/10/09
"They are there for a reason" - because people are stupid  de-void | 02/10/09
Then remove your user account from the Admin group.  de-void | 02/10/09
well well  jdbuk | 02/10/09
Two important points you should have included:  PB_z | 02/10/09
They've decided to change that  wolf_z | 02/10/09
I'm not convinced that it is.  ye | 02/10/09
ye is correct  PB_z | 02/10/09
PB_z - sorry, but you're wrong  de-void | 02/10/09
The problem with this model is...  ye | 02/10/09
Agreed  de-void | 02/11/09
The actual number is 6%  ye | 02/10/09
It's never the user's fault  Comnenus | 02/10/09
RE: It's never the user's fault ... na never ...  n0neXn0ne | 02/10/09
Always more novices than masters  Comnenus | 02/11/09
ummmm  tripolitan | 02/10/09
Vista UAC rocks!  qmlscycrajg | 02/10/09
You're confusing that with "on the rocks". (NT)  kozmcrae | 02/10/09
No ... ROCKS ... because it remedies the core issue  de-void | 02/10/09
UAC or Useful?  mrdave740a@... | 02/10/09
Using a computer with a non-admin account ...  de-void | 02/11/09
Great reply... you're right....  mrdave740a@... | 02/11/09
This article is a complete platitude  Gruffydd | 02/10/09
RE: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts  frenchbob | 02/11/09
IE no thanks!  frenchbob | 02/11/09
Don't fool yourself ... security is EVERYONE's business  de-void | 02/11/09
RE: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts  Charles Norrie | 02/11/09
In other news: UAC prevents exploits of 92% of critical vulnerabilities  honeymonster | 02/11/09
They would say that wouldn't they  Alan Smithie | 02/11/09
How many of the widely exploited holes?  daboochmeister | 02/11/09
Try it a real-world buisness environment - and then forget it.  Angie711 | 02/11/09
Demand better software.  CobraA1 | 02/11/09
We've tried...  Angie711 | 02/11/09
BeyondTrust is your answer to Least Privilege  ITRockstar | 03/02/09
So why does Linux, like all other ofter OS'es get patched regularly?  Heatlesssun | 02/11/09
Well said  thookerov | 02/11/09
No OS is perfect...  JMGM | 02/14/09
Now if 3rd party apps would stop relying on Admin  ejhonda | 02/11/09
"Mitigated" is not prevented.  1101doc | 02/11/09
A good start  CobraA1 | 02/11/09
It is not.  wolf_z | 02/18/09
DO NOT DISABLE UAC.  CobraA1 | 02/11/09
100% vulnerability mitigation  doctordawg | 02/11/09
Microsoft should make this part of the install...  BillDem | 02/11/09
A lot of people have to run in Administrator mode  Lerianis | 02/11/09
RE: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts  phatkat | 02/11/09
BeyondTrust is your answer to Least Privilege  ITRockstar | 02/11/09
92% of critical software would fail  laman | 02/11/09
Bad analysts, lousy reporting and terrible journalism  herbys67 | 02/11/09
RE: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts  herbys67 | 02/11/09
Interesting case with Indonesia  PhilippeV | 02/13/09
STUPID, STUPID, STUPID .............  goldenpirate@... | 02/13/09
Examples of LUA exploits? And definition of "mitigated"?  dave@... | 02/14/09
Unrealistic  buzzl | 02/15/09
You mean "XP", not Windows  wolf_z | 02/18/09
I'm using the market share theory here.  Intellihence | 02/18/09
RE: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts  fcanapa | 02/26/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline