Skip to content

Management

Technology

Toolbox

Training

Books

White Papers

Webcast

Resource Centre


ComputerworldUK CommunIT

Want to join the UK’s fastest growing dedicated IT community? Enter here to browse the UK’s top usergroups, societies and associations.

Data control & Intellectual Property management > security > news

February 04, 2009

Blocking admin rights prevents 92% of Microsoft bugs

Why didn't we think of that before?

By Gregg Keizer, Computerworld

Nine of out 10 critical bugs reported by Microsoft last year could have been made moot, or at least made less dangerous, if people ran Windows without administrative rights, a developer of enterprise rights management software claimed Tuesday.

Advert

BeyondTrust, which is promoting its Privilege Manager as a way for companies to lock down PCs, tallied the individual vulnerabilities that Microsoft disclosed in 2008, then examined each accompanying security bulletin.

Where the bulletin's "Mitigating Factors" section, the part that spells out how to lessen the risk of attack or eliminate it entirely, said that users with fewer rights "could be less impacted than users who operate with administrative rights," the bug was counted by BeyondTrust.

The study found 92% of critical Microsoft vulnerabilities could have been mitigated by stripping users of administrative rights, said John Moyer, the CEO of BeyondTrust. "This speaks to what enterprises should be doing," Moyer said. "Clearly, eliminating administrative rights can close the window of opportunity of attack."

Of the 154 bugs published and patched by Microsoft in 2008, critical or not, 69% would have been blocked or their impact reduced by configuring users to run without administrative rights, said the company.

When BeyondTrust looked at the vulnerabilities patched for Microsoft's browser, Internet Explorer (IE), and its application suite, Office, it found that 89% of the former and 94% of the latter could have been stymied by denying users administrative privileges.

"We were surprised to see how large the number was," said Scott McCarley , the company's director of marketing. "It really drives home how critical a role [rights] play."

Microsoft's approach to user rights has been a matter of debate of late. Last week, a pair of bloggers posted proof-of-concept code that demonstrated how attackers could disable Windows 7's revamped User Account Control (UAC) . UAC, a security feature that debuted in 2007 with Windows Vista, prompts users for their consent before Windows allows tasks such as program installations to continue.

"That proof-of-concept illustrates how important it is that users log in as a standard user, not as administrative users," said McCarley. Only users running Windows with administrative rights are vulnerable to the attack.

Microsoft has refused to call the Windows 7 UAC issue a security bug, and instead has insisted that the behaviour exploited by the malicious script is by design.

Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!

« prev article | more security news | next article »

Advert

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add 'Blocking admin rights prevents 92% of Microsoft bugs - Data control & Intellectual Property - ComputerworldUK' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Comments received

duhh.... said on Sunday, 15 February 2009

"We were surprised to see how large the number was," said Scott McCarley , the company's director of marketing. "It really drives home how critical a role [rights] play."

And this is why the worst mal-ware for Linux doesn't bring down the entire system without user help (e.g. weak passwords, socially engineered viruses/trojans, etc.) One would think that such a conclusion would be obvious, not surprising.

As for the Windows 7 UAC issue, "It's not a bug, it's a feature!" This is why Windows continues to fail at security.

Advert

WHITE PAPERS

  • Legal risks: Employee use of the internet and email
    Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees.
  • Phishing for victims
    This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
  • Challenges and opportunities of PCI
    The control framework implicit in the Payment Card Industry Data Security Standard (PCI DSS) provides an enterprise structure for improving operational, security, and audit performance.
  • Social CRM comes of age
    Who is this “social customer”? What strategies and tools does the new breed of CRM provide to do something about this?
  • Risk Management: Protect and Maximize Stakeholder Value
    What has held organisations back from a broader adoption of risk management programs?
*