Patching software is important, but there are often good reasons why it can't happen right away. A recent analysis of Microsoft's 2015 security bulletins shows that restricting account privileges effectively mitigates a majority of the issues. Privilege management can protect users while buying time for IT to test and deploy patches.
Microsoft patched 524 vulnerabilities across its line of products in 2015, of which 251 were rated as critical severity, according to an analysis by security software company Avecto. Overall, 63 percent of all vulnerabilities Microsoft patched in 2015 could have been mitigated by removing administrator rights from user accounts, the company found.
The figure jumps when narrowing the focus to only critical vulnerabilities. A little less than half, or 48 percent, of the 2015 patches were rated as critical, but Avecto found that 86 percent of critical flaws could have been mitigated by removing administrator rights. Remote code execution flaws are particularly worrisome for enterprises, since attackers can exploit those holes to run malware and other applications to take over user machines. Avecto found that 85 percent of critical remote code execution vulnerabilities patched in 2015 could be mitigated by removing admin rights.
"A large proportion of the business community still remains ignorant to the most effective measures that should be taken in mitigating the risk associated with these vulnerabilities," said Mark Austin, co-founder and co-CEO at Avecto.
The case for least privilege
Giving users administrator-level privileges is a no-no in the standard system-administrator handbook, but the fact remains the practice is widespread. Attackers don't need to worry about discovering and using zero-day vulnerabilities or crafting exploits targeting unpatched security holes when they can use easier methods to steal account credentials from users. When those accounts have privileges typically associated with administrators, an attacker is well on the way toward having full control of the targeted machine.
"From a hacker's perspective, getting access to admin rights is like an open door into the corporate network. By having unrestricted admin rights you are essentially inviting malware into your organization," said Sami Laiho, a Windows security expert and Microsoft MVP.
Elevation privilege vulnerabilities are the "worst vulnerabilities in any environment outside of ones that are remotely exploitable with no user interaction," said Morey Haber, vice president of technology at security company BeyondTrust. However, the majority of vulnerabilities fixed by Microsoft -- 84 percent -- are remote code execution flaws, which execute with whatever access levels are available and cannot raise privileges.
If the exploit executed code on the target machine as a standard user, or as a user under a least privilege model, the payload would be confined to whatever tasks the user could perform. This typically means the user would not be able to modify systems processes or services, registry entries, or key system files. They will also not be able to install software. The exploit and payload have no way to modify the system or inflect any sustainable damage as a standard user.
Reducing privileges lowers risks even if the operating system and application are not patched to the latest version. "Reducing privileges has proven to be an effective method to limit unpatched risks, not only in 2015, but for all Microsoft solutions over time," Haber said.
Privilege management is only effective if IT is strict about the kind of access rights it is granting. IT should couple vulnerability management with the system of assigning least privilege, and monitor applications and operating systems to make sure they have the right levels of privileges. When the software application is not up-to-date on its patches or a component needs to be updated, IT should reduce existing rights. The privileges can be restored as soon as IT completes the testing and patching cycle.
Privilege management should not be viewed as a "perfect solution," but rather as "a containment model," Haber said.
Privilege management is not just something to keep in mind for Microsoft vulnerabilities; it can be effective against Java- and Flash-based attacks as well. Administrators should think twice about giving administrator rights to an application with known vulnerabilities.
"If the risk is known, why ever give that unpatched component or third-party application excessive rights until it is patched?" Haber said. "This ensures that even the simplest of exploits are always contained even if rights are needed to execute them."
Latest versions don't fare better
Microsoft may call Windows 10 the "most secure Windows ever," but Avecto found the same pattern for Windows 10. Over a quarter of critical vulnerabilities Microsoft fixed in 2015 affected Windows 10, and 82 percent of vulnerabilities that affected Windows 10 could have been mitigated. Server operating systems weren't exempt from this analysis either, since Avecto found that 85 percent of critical vulnerabilities affecting Windows Server could be mitigated just by paying attention to the user privileges.
Avecto also looked at the patches for Microsoft Office, namely Office 2010, 2013, 2016, and individual programs Excel, Word, PowerPoint, Visio, and Publisher. About 82 percent of vulnerabilities in Microsoft Office -- and 100 percent of vulnerabilities affecting Office 2016 -- could be mitigated by removing admin rights.
Nearly 99.5 percent of vulnerabilities that Microsoft patched in Internet Explorer -- from versions 6 to 11 -- could have been mitigated by removing administrator rights. Microsoft Edge is supposed to be the more secure Web browser, yet every single vulnerability affecting Edge could have been mitigated by, yep, removing admin rights.
"It's important that companies remain discerning and don't just assume that certain platforms are inherently secure because they are popular or new," Austin said.