By collecting data from Microsoft's Security Bulletins published throughout the year, and identifying the vulnerabilities who would have been mitigated by users whose accounts are configured to have fewer user rights on the system, BeyondTrust's quantitative report message is simple - get back to the basics.
Key summary points on the percentage of flaws mitigated:
90% of Critical Windows 7 operating system vulnerabilities are mitigated by having users log in as standard users
100% of Microsoft Office vulnerabilities reported in 2009
94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
64% of all Microsoft vulnerabilities reported in 2009
87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights
The window of opportunity -- 21 days in the case of this out-of-band IE patch -- often left wide open for too long, prompts the most basic question - what should a company or an end user do by the time a patch is available, next to logically switching to an alternative browser? Get back to the basics, and assume the worst in an attempt to mitigate the highest percentage of risk posed by the situation.
Calls for "dropping your rights" have been made for years. And whereas the process has become easier to
implement in the latest versions of Windows, certain companies and end users remain reluctant to implement this basic security auditing process, largely basing their decisions on their obsession with perimeter defense.
Moreover, in respect to BeyondTrust's report, there are two fundamental points that the report isn't emphasizing on:
Cybercrime is not driven by the use of zero day flaws, but by the millions of people using the Internet with outdated software - It's a simple fact that has so far contributed to the rise and rise of some of the most prolific botnets, and outdated flaws within popular applications remain the main vehicle for Zeus crimeware infections. Naturally, there are campaigns that exclusively rely on recently published flaws, but the window of opportunity offered by those would be closed sooner than the one of all the outdated applications running on the same PC, combined. It's the cybercriminal's mentality of traffic optimization for malicious purposes, (See example: Money Mule Recruitment Campaign Serving Adobe/Client-Side Exploits), that offers the highest probability of infection.
In terms of closing the window of opportunity that malicious attackers systematically exploit until a patch is released, the best advice is the most pragmatic one. And in this case, it's the easiest one to implement - remove admin rights, sandbox your browser, and take care of all those third-party apps and browser plugins.