Eighty percent of all Microsoft security vulnerabilities in 2014 could be mitigated by removing admin rights, according to a report from Avecto, which analyzed data from security bulletin Microsoft issued throughout 2014.
Of the 240 vulnerabilities Microsoft classified as critical, 97 percent were mitigated this way. Overall, the number of critical vulnerabilities in 2014 was up 63 percent, from 147, over 2013
In 2014, 300 vulnerabilities were reported across Windows XP, Vista, Windows 7 and Windows 8 operating systems, compared to 253 in 2013. A total of 245 vulnerabilities were reported that affected IE versions 6-11. That figure compares to just 123 reported vulnerabilities in 2013.
The report found 99.5 percent of all vulnerabilities in Internet Explorer (IE) could be mitigated by removing admin rights, 95 percent of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights, and 97 percent of Critical Remote Code Execution vulnerabilities could be mitigated by removing admin rights.
Microsoft bulletins, which provide solutions for known security issues, are issued on the second Tuesday of each month, a date commonly known as Patch Tuesday.
User accounts with admin privileges are primary targets for exploitation, as they provide unrestricted access to an endpoint, enabling malware to bury itself deep inside the operating system, cloak itself from detection and then spread more readily across the network.
Employees with admin rights have the ability to install, modify and delete software and files, and they can also change system settings, potentially introducing even more vulnerabilities.
Additional Microsoft Services not included in the Microsoft Office, Windows Server, Internet Explorer or Windows O/S summaries that are included in the bulletins include SharePoint, Access, Exchange and .Net Framework.
There were 22 reported vulnerabilities affecting these services in 2014, with four classed as critical.
The report concluded that cyber criminals are becoming increasingly sophisticated and targeted in bypassing security controls, instead targeting individual users as a way to gain entry to corporate files and data.
The study suggested one of the most effective ways to mitigate such threats is to remove administrator rights from users completely, using privilege management and application control technology to allow all users to function effectively under a standard user account.
“Complement this by layering security strategies as part of a Defense in Depth (DiD) approach. The overlap of these layers of defense aim to ensure that the shortcomings of one security control are covered by another,” the report stated. “For example, in the gap between a patch being discovered and applied, Sandboxing technology will trap and contain online threats so that data remains secure.”