The good news: Removing admin privileges can mitigate most of them, a new study by BeyondTrust shows.
A new analysis of Microsoft’s security updates in 2018 suggests the company’s long-standing efforts to build more secure products continue to be very much a work in progress.
Microsoft disclosed more security vulnerabilities — 700 — in total across its operating system, browser, and office products last year than it did in 2017.
Since 2013, vulnerabilities in Microsoft products have, in fact, more than doubled rather than go down, with even supposedly secure technologies such as Windows 10 and Edge having a disturbingly high number of them, an analysis by BeyondTrust has found.
The one mitigating factor for enterprise organizations is that the threat from a vast majority of these flaws can be neutralized by properly managing the administrative rights available to Windows users, the security vendor said in a report Thursday.
“Eighty-one percent of vulnerabilities for 2018 can be mitigated just by removing administrative rights” on a Microsoft Windows device, says Morey Haber, CTO and CISO at BeyondTrust. “Microsoft cannot remove administrative rights by default. It is needed to initially set up and configure any new deployment of a Windows asset.” So organizations need to ensure the rights are removed or disabled after initial setup, he notes.
Of the 700 vulnerabilities that Microsoft disclosed last year, 189 were classified as being of critical severity. Though that number was lower than the 235 critical vulnerabilities disclosed in 2017, over a five-year period the number of critical flaws in Microsoft products actually increased 30%, BeyondTrust’s analysis shows.
As in previous years, remote code execution (RCE) flaws accounted for the largest proportion of vulnerabilities in Microsoft products last year. Of the 700 total flaws, 292 were remotely exploitable and 178 were rated as critical. Since 2013, the number of RCE flaws increased 54% overall.
Significantly, even Microsoft’s newer Windows 10 operating system and Edge browser continue to be riddled with security issues. Last year a total of 112 severe flaws were reported in Edge — a sixfold increase from 2015, when the browser first became available on Windows. Meanwhile, Windows 10, which Microsoft has positioned as one of its most secure, had 474 vulnerabilities, of which more than one-third was critical. On a positive note, the number of flaws in Windows 10, both critical and non-severe, was lower than in 2017.
BeyondTrust found that most flaws in Microsoft products pose a threat only to systems where administrator rights are enabled. For example, removing administrator rights would have mitigated 84% of the critical flaws in Windows 10 last year. The same was true for 100% of Edge browser vulnerabilities, 85% of the flaws in Windows, and 83% of the flaws in Windows servers.
The situation continues to exist for two primary reasons, Haber says. Many organizations are hesitant to disable administrator privileges out of concern that doing so would disrupt the end user experience. Inertia is another big factor. “It is much simpler for organizations to grant administrative rights and allow the end user to ‘just work’ versus assigning privileges,” he says.
In reality, disabling administrator-level access on Windows devices takes little effort and can be done via Group Policy Preferences for all assets in a domain. However, when doing so, administrators need to ensure they are not degrading the experience for users who might need that access. Multiple tools are available from Microsoft and others that allow administrators to enforce a least privilege model, down to a service or registry key, Haber says.
The tools let standard users perform needed administrative asks without granting them admin rights. “All organizations should attempt to embrace these strategies to lower risk,” Haber says.