A recently released report by BeyondTrust entitled "Reducing the Threat from Microsoft Vulnerabilities" indicates that that according to the company's analysis of all the security bulletins Microsoft published in 2008, 92% of the critical vulnerabilities could have been mitigated by the principle of the least privilege.
Despite the fact that Microsoft's products continue topping the "successfully exploited charts" in each and every web malware exploitation kit (go through sample infection rates), long gone are the days when Microsoft's products are targeted exclusively. Nowadays, in order to better optimize a malware campaign, a web malware exploitation kit is targeting a diverse set of client-side software/browser plugins.
Here are some of the key points from the report :
- 92% of Critical Microsoft vulnerabilities are mitigated by configuring users to operate without administrator rights
- Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights
- By removing administrator rights companies will be better protected against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities
- 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights
Interestingly, starting from the basic fact that the client-side vulnerabilities exploited through the web exploitation kits have had their associated patches for months, sometimes years, end users appear to not only lack understanding of least privilege accounts, but also, still believe that patching their browser is where the self-auditing process both, starts and ends.
Moreover, the ongoing Conficker/Downadup malware campaign which has already passed the 10 million infected hosts milestone, is a very recent example of another phenomenon - the fact that millions of end users and possibly companies, are on purposely using pirated copies of Windows and are therefore using highly vulnerable, yet Internet connected, versions of it. The proof? Symantec's geolocated graph of infected Conficker hosts speaks for itself, as the countries having the highest software piracy rate, are in fact the ones most heavily hit by the malware.
However, least privilege accounts can always be used by both, legitimate users and software pirates altogether, which when combined with a decent situational awareness in the sense of knowing the current attack tactics, is prone to decrease their chance of getting successfully compromised.