Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:40 PM
Connect Directly

Disabling Features Make Some Microsoft Bugs Unexploitable

eEye study finds that disabling two well-known features in Microsoft products would prevent attackers from exploiting 12 percent of vulnerabilities

New data shows how proper software configuration can mean all the difference in whether a vulnerability can actually be exploited on your system.

eEye Digital Security today released a report with results from a study conducted by eEye founder and CTO Marc Maiffret and his team of how certain configuration changes in Microsoft software can mitigate attacks. The researchers used all of the Microsoft vulnerabilities reported and patched in 2010 and confirmed that disabling two well-known features in the software would prevent attackers from exploiting 12 percent of all of these bugs.

Maiffret in February first revealed that he and his team were studying this and had found that misconfiguration is a major factor in the risk of attack. It's all about reducing the attack surface and prioritizing patching, he says.

The report reveals that only half of the vulnerabilities patched in 2010 affected the newest versions of Microsoft software, namely Windows Server 2008 R2, Windows 7, Office 2007, and Office 2010.

"When you look at 2010 vulnerabilities, if you are running the latest [version of Microsoft software], that means that for 49 percent of all vulnerabilities, you don't need to do anything. Nearly half of all vulns won't be able to be used to leverage attacks against your systems. That's a pretty amazing number," Maiffret says. "That is time you get to put back into IT operational time."

eEye focused on two basic configuration changes in its report: blocking Web-based Distributed Authoring and Versioning (WebDAV) connections and disabling Office file converters. "The most important thing you can do in security is take your time in how you configure your systems … to be as customized to your environment as possible. The reality is that the vast majority of businesses run an vanilla IT environment," which makes them more vulnerable, according to Maiffret.

WebDAV and Office file converter features were chosen for the study both because they are well-known and often are abused in exploits. Attackers send infected Excel files in older versions of the app, for example.

Among the configuration mistakes that can leave Windows systems vulnerable to attack is leaving WebDAV enabled, Maiffret says. WebDAV is a tool for collaborating among users in editing and managing documents and files stored on Web servers, and can be used for delivering malicious payloads in an attack. Merely disabling WebDAV cuts down the number of vulnerabilities that are exploitable by 4 percent, according to eEye's findings.

"That is one of the things that could easily be disabled through Active Directory Group Policy Object settings or by filtering at the perimeter," Maiffret says.

When an older binary file format is blocked, 8 percent of all of the 2010 reported Microsoft vulnerabilities would be nonexploitable, according to the report.

Microsoft, meanwhile, long has promoted users reducing the attack surface. Jerry Bryant, group manager for Trustworthy Computing at Microsoft, said in a statement about the eEye report: "At Microsoft, we have long stated that attack surface reduction is a key part of improving the security stance of any network or individual system. We not only recommend this as a best practice, but as a result of our ongoing efforts through the Security Development Lifecycle (SDL), have reduced the number of features and services enabled by default in the latest versions of our operating systems. As always, Microsoft encourages customers to upgrade to the latest product versions to ensure maximum protection against vulnerabilities."

Bryant points to Microsoft's free Security Compliance Manager Toolkit to help users "harden" their systems.

While eEye focused on the two specific features in Microsoft applications, Maiffret says there are plenty of other features that could be used to mitigate attacks. The concept applies to other vendors' apps as well.

"I don't think we really scratched the surface in what we could be doing from a configuration [standpoint]," he says. "We want to get the conversation going and make people start thinking about this and how they can customize and configure their environment."

A copy of the full eEye report, "eEye Research Report: Working Toward Configuration Best Practices, Version 1.0," is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before, 14.x before, and 15.x before for FreePBX In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.