Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts

Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts

Summary: According to a newly released report, 64% of all the reported Microsoft vulnerabilities for 2009 could have been mitigated by using the principle of the least privileged accounts.


According to a newly released report, 64% of all the reported Microsoft vulnerabilities for 2009 could have been mitigated by using the principle of the least privileged accounts.

By collecting data from Microsoft's Security Bulletins published throughout the year, and identifying the vulnerabilities who would have been mitigated by users whose accounts are configured to have fewer user rights on the system, BeyondTrust's quantitative report message is simple - get back to the basics.

Key summary points on the percentage of flaws mitigated:

  • 90% of Critical Windows 7 operating system vulnerabilities are mitigated by having users log in as standard users
  • 100% of Microsoft Office vulnerabilities reported in 2009
  • 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
  • 64% of all Microsoft vulnerabilities reported in 2009
  • 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights

The window of opportunity -- 21 days in the case of this out-of-band IE patch -- often left wide open for too long, prompts the most basic question - what should a company or an end user do by the time a patch is available, next to logically switching to an alternative browser? Get back to the basics, and assume the worst in an attempt to mitigate the highest percentage of risk posed by the situation.

Calls for "dropping your rights" have been made for years. And whereas the process has become easier to implement in the latest versions of Windows, certain companies and end users remain reluctant to implement this basic security auditing process, largely basing their decisions on their obsession with perimeter defense.

Prevention is better than the cure, even from a cost-effective perspective. There's also no shortage of alternative solutions, such as for instance sandboxing your favorite browser -- Sandboxie is free for personal use -- in order to ensure that what happens in the sandbox, stays in the sandbox. A similar advice was given by the American Bankers’ Association (ABA) last month.

Moreover, in respect to BeyondTrust's report, there are two fundamental points that the report isn't emphasizing on:

  • Cybercrime is not driven by the use of zero day flaws, but by the millions of people using the Internet with outdated software - It's a simple fact that has so far contributed to the rise and rise of some of the most prolific botnets, and outdated flaws within popular applications remain the main vehicle for Zeus crimeware infections. Naturally, there are campaigns that exclusively rely on recently published flaws, but the window of opportunity offered by those would be closed sooner than the one of all the outdated applications running on the same PC, combined. It's the cybercriminal's mentality of traffic optimization for malicious purposes, (See example: Money Mule Recruitment Campaign Serving Adobe/Client-Side Exploits), that offers the highest probability of infection.
  • Microsoft OS/software specific vulnerabilities are only a part of the drive-by exploits cocktail served by web malware exploitation kits - You would be surprised to know how many people are so obsessed with "Patch Tuesday" that they exclude the decent number of outdated browser plugins and third-party software installed on their PCs. The result? A false feeling of security, which combined with an outdated situational awareness on how modern web malware exploitation kits work, leads to a successful drive-by attack. It shouldn't come to as a surprise that, not only did malicious PDF files comprise 80 percent of all exploits for 2009, but also, the use of Microsoft Office files for targeted attacks is declining. Two years ago, Microsoft in fact confirmed this trend - Microsoft: Third party apps killing our security.

In terms of closing the window of opportunity that malicious attackers systematically exploit until a patch is released, the best advice is the most pragmatic one. And in this case, it's the easiest one to implement - remove admin rights, sandbox your browser, and take care of all those third-party apps and browser plugins.

Topics: Microsoft, Browser, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I've been recommending this for years.

    And few people listened. It's not a security panacea as user mode exploits can be very effective. But at least such an exploit can be removed much easier.
    • Yep....

      No one in the company I work for run as anything other than "user". We have very little problems with malware, and the select few I have had to fix were not difficult to clean up as it only messed with the profile and not the OS files.
      • I suspect it also significantly decreases the number of problems.

        Because users aren't going around installing every piece of software they can find as well as making system level changes.
        • You got it......

          We have little to no desktop support issues over the past 2 years. My desktop tech has trouble finding stuff to do outside of supporting peripheral hardware that we use extensively and 3rd party apps.
    • vendors need to change

      I wish vendors would start taking this into mind. Nothing drives me more crazy than software that requires full admin right. You'd think this would change by now but nope.
      • Actually only lame programmers and end-users require all rights

        because they are too lazy and stupid to understand the fine security nuances and granularity provided by the Windows Security subsystem.

        But that is what the "Designed for Windows 7" certification label is for.

        Never buy anything that isn't certified with that logo.

        That will hit these vendors where it hurts most, their bottom line, then it will become critical for them to learn to program correctly and deliver solid packages that are Windows 7 compliant.

        Consumers, vote with your wallet!

        Simple solution eh?
        • It's been a requirement since Windows 2000.

          [i]But that is what the "Designed for Windows 7" certification label is for.[/i]

          Given it's now ten years later and we're still dealing with the problem I'm not holding my breath for software developers to get it. I just bought UltraEdit 16 and it doesn't work correctly with LUP.
  • I've told people for years

    Don't run with administrative rights.

    Windows' security APIs actually eliminate the need for a secondary account and the use of a password. Sadly, few people know about this side of Windows (even people who are "professional IT administrators").

    Namely, utilities that strip administrative rights.

    The easiest one (for non-techies) is RemoveAdmin, it creates shortcuts on your desktop that will launch either IE or Firefox without administrative rights (quit your browser after installing it):

    The purpose of the installer is to create shortcuts and provide a turnkey system. Believe me, when I've evangelized command line tools that do the same, it just doesn't happen with 99% of people. People are just too lazy or the command line is over their heads.

    RemoveAdmin takes on the lazy side of people by creating convenient shortcuts. If you look closely at the shortcuts it's just a reference to the RemoveAdmin program with a browser as an argument.

    Which means you can use RemoveAdmin to launch anything and strip out administrative rights on that process. Under Windows XP I did this for ANY application that talked on the Net, IM, iTunes, WinAmp, QuickTime, etc., etc. All these apps have had security issues and eliminating administrative rights is a big help.

    With the advent of Vista and Windows 7, RemoveAdmin is more useful for Windows XP users (or gasp, Windows 2000). But if you're foolish enough to turn off UAC on either Vista or Windows 7, then RemoveAdmin will work even with those platforms.

    • Or, you know, just run as a standard user...

    • And what about the shell (explorer.exe)?

      You have the right idea (don't run an user app with admin rights), but this is so simply done using standard user accounts...

      UAC has one use that would make me use it in Vista or 7: it can run browsers with lower-than-user privileges. However, the overhead UAC entails is so high, that I'd rather use a password-protected admin account for admin tasks only, and then switch to a limited user account for EVERYTHING ELSE.

      This removes overhead (UAC, even in 7, is a PIG) and also ensures that all code that is not kernel code, runs as userland processes with user rights. Ever since Vista, that includes the graphical shell in its entirety too.
      Mitch 74
      • You're confusing kernel code for code running with...

        [i]This removes overhead (UAC, even in 7, is a PIG) and also ensures that all code that is not kernel code, runs as userland processes with user rights.[/i]

        ...elevated privileges.
    • Linux was designed with the end user in mind

      [i]I've told people for years. Don't run with administrative rights.[/i]

      And nobody's listening. Otherwise it still wouldn't be a problem for Windoze.

      Now with Linux, everything is modular by nature, [b]from the ground up[/b]

      [i]Linux does not have a history of being a single-user system. Therefore it has been designed from the ground-up to isolate users from applications, files and directories that affect the entire operating system. Each user is given a user directory where all of the user?s data files and configuration files are stored. When a user runs an application, such as a word processor, that word processor runs with the restricted privileges of the user. It can only write to the user?s own home directory. It cannot write to a system file or even to another user?s directory unless the administrator explicitly gives the user permission to do so.

      Even more important, Linux provides almost all capabilities, such as the rendering of JPEG images, as modular libraries. As a result, when a word processor renders JPEG images, the JPEG rendering functions will run with the same restricted privileges as the word processor itself. If there is a flaw in the JPEG rendering routines, a malicious hacker can only exploit this flaw to gain the same privileges as the user, thus limiting the potential damage. This is the benefit of a modular system, and it follows more closely the spherical analogy of an ideally designed operating system (see the section Windows is Monolithic by Design, not Modular).

      Given the default restrictions in the modular nature of Linux; it is nearly impossible to send an email to a Linux user that will infect the entire machine with a virus. It doesn?t matter how poorly the email client is designed or how badly it may behave - it only has the privileges to infect or damage the user?s own files. Linux browsers do not support inherently insecure objects such as ActiveX controls, but even if they did, a malicious ActiveX control would only run with the privileges of the user who is running the browser. Once again, the most damage it could do is infect or delete the user?s own files.

      Even services, such as web servers, typically run as users with restricted privileges. For example, Debian GNU/Linux runs the Apache server as the user www-data, who belongs to a group with the same name, www-data. If a malicious hacker manages to gain complete control over the Apache web server on a Debian system, that hacker can only affect files owned by the user www-data, such as web pages. In turn, the MySQL SQL database server often used in conjunction with Apache, runs with the privileges of the user mysql. So even if Apache and MySQL are used together to serve web pages, a malicious hacker who gains control of Apache does not have the privileges to exploit the Apache hole in order to gain control of the database server, because the database server is ?owned? by another user.

      In addition, users associated with services such as Apache, MySQL, etc., are often set up with user accounts that have no access to a command line. So if a malicious hacker somehow breaks into the MySQL user account, that hacker cannot exploit that vulnerability to issue arbitrary commands to the Linux server, because that account has no ability to issue commands.

      [b]In sharp contrast, Windows was originally designed to allow all users and applications to have administrator access to every file on the system. Windows has only gradually been re-worked to isolate users and what they do from the rest of the system. Windows Server 2003 is close to achieving this goal, but the methodology Microsoft has employed to create this barrier between user and system is still largely composed of constantly changing hacks to the existing design, rather than a fundamental redesign with multi-user capability and security as the foundational concept behind the system.[/b][/i]
      ubiquitous one
      • Good article, back in '04 (nt)

        • Which parts of it are outdated..

          ..besides "Windows has only [i]recently[/i] evolved from a single-user design to a multi-user model" and "A Comparison of 40 [i]Recent[/i] Security Patches"?

          Does the rest of it not still stand?
  • Hopefully Windows will follow Ubuntu's good example by ceasing to make the

    default account an admin, some day.

    Also, not requiring admin privileges for every little thing (even playing video games requires admin rights thanks to all the DRM and PB crud) would do wonders in bringing Windows up to Linux standards.
    • April Fool's Day right?

      Games on Linux?

      Pull the other one.
      • Maybe if you live in China.

        As for games on Linux.. pretty much any that don't require Microsoft DirectX 10 or Microsoft DirectX 11.
      • Heh...

        The kid plays SIMS 3 on Linux. I play WoW, Guild Wars, Left4Dead, EVE Online and quite a few others. Try again.
        • Neither

          Neither you or Tony actually read the post. He didn't say he played games on Linux or even hinted at it...[b]you[/b] read that into the post.
    • And just what standards may you be talking about?

      And just what standards may you be talking about?