Disabling Features Make Some Microsoft Bugs Unexploitable

New data shows how proper software configuration can mean all the difference in whether a vulnerability can actually be exploited on your system.

eEye Digital Security today released a report with results from a study conducted by eEye founder and CTO Marc Maiffret and his team of how certain configuration changes in Microsoft software can mitigate attacks. The researchers used all of the Microsoft vulnerabilities reported and patched in 2010 and confirmed that disabling two well-known features in the software would prevent attackers from exploiting 12 percent of all of these bugs.

Maiffret in February first revealed that he and his team were studying this and had found that misconfiguration is a major factor in the risk of attack. It's all about reducing the attack surface and prioritizing patching, he says.

The report reveals that only half of the vulnerabilities patched in 2010 affected the newest versions of Microsoft software, namely Windows Server 2008 R2, Windows 7, Office 2007, and Office 2010.

"When you look at 2010 vulnerabilities, if you are running the latest [version of Microsoft software], that means that for 49 percent of all vulnerabilities, you don't need to do anything. Nearly half of all vulns won't be able to be used to leverage attacks against your systems. That's a pretty amazing number," Maiffret says. "That is time you get to put back into IT operational time."

eEye focused on two basic configuration changes in its report: blocking Web-based Distributed Authoring and Versioning (WebDAV) connections and disabling Office file converters. "The most important thing you can do in security is take your time in how you configure your systems … to be as customized to your environment as possible. The reality is that the vast majority of businesses run an vanilla IT environment," which makes them more vulnerable, according to Maiffret.

WebDAV and Office file converter features were chosen for the study both because they are well-known and often are abused in exploits. Attackers send infected Excel files in older versions of the app, for example.

Among the configuration mistakes that can leave Windows systems vulnerable to attack is leaving WebDAV enabled, Maiffret says. WebDAV is a tool for collaborating among users in editing and managing documents and files stored on Web servers, and can be used for delivering malicious payloads in an attack. Merely disabling WebDAV cuts down the number of vulnerabilities that are exploitable by 4 percent, according to eEye's findings.

"That is one of the things that could easily be disabled through Active Directory Group Policy Object settings or by filtering at the perimeter," Maiffret says.

When an older binary file format is blocked, 8 percent of all of the 2010 reported Microsoft vulnerabilities would be nonexploitable, according to the report.

Microsoft, meanwhile, long has promoted users reducing the attack surface. Jerry Bryant, group manager for Trustworthy Computing at Microsoft, said in a statement about the eEye report: "At Microsoft, we have long stated that attack surface reduction is a key part of improving the security stance of any network or individual system. We not only recommend this as a best practice, but as a result of our ongoing efforts through the Security Development Lifecycle (SDL), have reduced the number of features and services enabled by default in the latest versions of our operating systems. As always, Microsoft encourages customers to upgrade to the latest product versions to ensure maximum protection against vulnerabilities."

Bryant points to Microsoft's free Security Compliance Manager Toolkit to help users "harden" their systems.

While eEye focused on the two specific features in Microsoft applications, Maiffret says there are plenty of other features that could be used to mitigate attacks. The concept applies to other vendors' apps as well.

"I don't think we really scratched the surface in what we could be doing from a configuration [standpoint]," he says. "We want to get the conversation going and make people start thinking about this and how they can customize and configure their environment."

A copy of the full eEye report, "eEye Research Report: Working Toward Configuration Best Practices, Version 1.0," is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.