Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:40 PM
Connect Directly

Disabling Features Make Some Microsoft Bugs Unexploitable

eEye study finds that disabling two well-known features in Microsoft products would prevent attackers from exploiting 12 percent of vulnerabilities

New data shows how proper software configuration can mean all the difference in whether a vulnerability can actually be exploited on your system.

eEye Digital Security today released a report with results from a study conducted by eEye founder and CTO Marc Maiffret and his team of how certain configuration changes in Microsoft software can mitigate attacks. The researchers used all of the Microsoft vulnerabilities reported and patched in 2010 and confirmed that disabling two well-known features in the software would prevent attackers from exploiting 12 percent of all of these bugs.

Maiffret in February first revealed that he and his team were studying this and had found that misconfiguration is a major factor in the risk of attack. It's all about reducing the attack surface and prioritizing patching, he says.

The report reveals that only half of the vulnerabilities patched in 2010 affected the newest versions of Microsoft software, namely Windows Server 2008 R2, Windows 7, Office 2007, and Office 2010.

"When you look at 2010 vulnerabilities, if you are running the latest [version of Microsoft software], that means that for 49 percent of all vulnerabilities, you don't need to do anything. Nearly half of all vulns won't be able to be used to leverage attacks against your systems. That's a pretty amazing number," Maiffret says. "That is time you get to put back into IT operational time."

eEye focused on two basic configuration changes in its report: blocking Web-based Distributed Authoring and Versioning (WebDAV) connections and disabling Office file converters. "The most important thing you can do in security is take your time in how you configure your systems … to be as customized to your environment as possible. The reality is that the vast majority of businesses run an vanilla IT environment," which makes them more vulnerable, according to Maiffret.

WebDAV and Office file converter features were chosen for the study both because they are well-known and often are abused in exploits. Attackers send infected Excel files in older versions of the app, for example.

Among the configuration mistakes that can leave Windows systems vulnerable to attack is leaving WebDAV enabled, Maiffret says. WebDAV is a tool for collaborating among users in editing and managing documents and files stored on Web servers, and can be used for delivering malicious payloads in an attack. Merely disabling WebDAV cuts down the number of vulnerabilities that are exploitable by 4 percent, according to eEye's findings.

"That is one of the things that could easily be disabled through Active Directory Group Policy Object settings or by filtering at the perimeter," Maiffret says.

When an older binary file format is blocked, 8 percent of all of the 2010 reported Microsoft vulnerabilities would be nonexploitable, according to the report.

Microsoft, meanwhile, long has promoted users reducing the attack surface. Jerry Bryant, group manager for Trustworthy Computing at Microsoft, said in a statement about the eEye report: "At Microsoft, we have long stated that attack surface reduction is a key part of improving the security stance of any network or individual system. We not only recommend this as a best practice, but as a result of our ongoing efforts through the Security Development Lifecycle (SDL), have reduced the number of features and services enabled by default in the latest versions of our operating systems. As always, Microsoft encourages customers to upgrade to the latest product versions to ensure maximum protection against vulnerabilities."

Bryant points to Microsoft's free Security Compliance Manager Toolkit to help users "harden" their systems.

While eEye focused on the two specific features in Microsoft applications, Maiffret says there are plenty of other features that could be used to mitigate attacks. The concept applies to other vendors' apps as well.

"I don't think we really scratched the surface in what we could be doing from a configuration [standpoint]," he says. "We want to get the conversation going and make people start thinking about this and how they can customize and configure their environment."

A copy of the full eEye report, "eEye Research Report: Working Toward Configuration Best Practices, Version 1.0," is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.