Almost every critical vulnerability in Microsoft software published in 2014 could have been mitigated simply by removing admin rights from users, UK security firm Avecto has calculated after studying Patch Tuesday advisories for the year.
A year ago an Avecto analysis of the 2013 figures told a nearly identical story, with 92 percent of the most serious flaws de-clawed by removing admin rights, a figure that has now climbed to 97 percent.
Breaking this down, admin rights were necessary to exploit 97 percent of Windows OS flaws, 99.5 percent of those in Internet Explorer, and 95 percent of those in Office.
Avecto used a simple methodology to calculate whether a flaw would have been mitigated by removing admin rights – whether or not Microsoft mentions this fact in each advisory.
The important sentence: “Customers/users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
As we pointed out in 2014, the phrase “less impacted” isn’t the same as saying that the flaw would have been completely harmless had admin rights been removed but for many of them that would have been true.
Strikingly, however, the number of critical vulnerabilities in Microsoft vulnerabilities also rose sharply to 240, a 63 percent rise on the 2013 figure, emphasising the workload this issue now imposes on IT departments.
IT teams need a number of strategies to cope with the sheer number of dangerous flaws and according to Avecto organisations that control and manage admin rights would be in better shape from day one than those who don’t.
Normally admin rights shouldn’t be granted on work machines although this is easier said than done on some versions of Windows running older applications. In many cases, the effects of removing admin rights can be inconvenient.
“Our 2014 analysis highlights the continued benefits of stripping away admin rights,” said Avecto’s European vice president, Paul Kenyon. “Time and time again, the removal of admin rights proves to be a simple and effective threat mitigation strategy and yet many businesses are still overlooking this fundamental practice.”
“There is a misconception that passive tools, like detection technologies, can provide adequate protection, and yet evidence clearly demonstrates that organisations can no longer afford to rely on reactive strategies to deal with the advanced nature of so many attacks.”
It’s a point the firm has used to help market its privilege management system Defendpoint (previously Privilege Guard), which also offers modules for sandboxing and application control.
According to Kenyon, protecting a computer from dangerous applications can be blunted more effectively if the user can’t access the important privileges that come with admin-level access, such as installing applications.
“Privilege Management […] can mitigate the majority of advanced cyber-attacks, especially when layered with other proactive approaches, such as application control, patch management and sandboxing,” said Kenyon.