Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/25/2019
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Vulns in Microsoft Products Continue to Increase

The good news: Removing admin privileges can mitigate most of them, a new study by BeyondTrust shows.

A new analysis of Microsoft's security updates in 2018 suggests the company's long-standing efforts to build more secure products continue to be very much a work in progress.

Microsoft disclosed more security vulnerabilities — 700 — in total across its operating system, browser, and office products last year than it did in 2017.  

Since 2013, vulnerabilities in Microsoft products have, in fact, more than doubled rather than go down, with even supposedly secure technologies such as Windows 10 and Edge having a disturbingly high number of them, an analysis by BeyondTrust has found.

The one mitigating factor for enterprise organizations is that the threat from a vast majority of these flaws can be neutralized by properly managing the administrative rights available to Windows users, the security vendor said in a report Thursday.

"Eighty-one percent of vulnerabilities for 2018 can be mitigated just by removing administrative rights" on a Microsoft Windows device, says Morey Haber, CTO and CISO at BeyondTrust. "Microsoft cannot remove administrative rights by default. It is needed to initially set up and configure any new deployment of a Windows asset." So organizations need to ensure the rights are removed or disabled after initial setup, he notes.

Of the 700 vulnerabilities that Microsoft disclosed last year, 189 were classified as being of critical severity. Though that number was lower than the 235 critical vulnerabilities disclosed in 2017, over a five-year period the number of critical flaws in Microsoft products actually increased 30%, BeyondTrust's analysis shows.

As in previous years, remote code execution (RCE) flaws accounted for the largest proportion of vulnerabilities in Microsoft products last year. Of the 700 total flaws, 292 were remotely exploitable and 178 were rated as critical. Since 2013, the number of RCE flaws increased 54% overall.

Significantly, even Microsoft's newer Windows 10 operating system and Edge browser continue to be riddled with security issues. Last year a total of 112 severe flaws were reported in Edge — a sixfold increase from 2015, when the browser first became available on Windows. Meanwhile, Windows 10, which Microsoft has positioned as one of its most secure, had 474 vulnerabilities, of which more than one-third was critical. On a positive note, the number of flaws in Windows 10, both critical and non-severe, was lower than in 2017. 

BeyondTrust found that most flaws in Microsoft products pose a threat only to systems where administrator rights are enabled. For example, removing administrator rights would have mitigated 84% of the critical flaws in Windows 10 last year. The same was true for 100% of Edge browser vulnerabilities, 85% of the flaws in Windows, and 83% of the flaws in Windows servers.

The situation continues to exist for two primary reasons, Haber says. Many organizations are hesitant to disable administrator privileges out of concern that doing so would disrupt the end user experience. Inertia is another big factor. "It is much simpler for organizations to grant administrative rights and allow the end user to 'just work' versus assigning privileges," he says.

In reality, disabling administrator-level access on Windows devices takes little effort and can be done via Group Policy Preferences for all assets in a domain. However, when doing so, administrators need to ensure they are not degrading the experience for users who might need that access. Multiple tools are available from Microsoft and others that allow administrators to enforce a least privilege model, down to a service or registry key, Haber says.

The tools let standard users perform needed administrative asks without granting them admin rights. "All organizations should attempt to embrace these strategies to lower risk," Haber says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Moderator
4/29/2019 | 11:11:22 AM
Security Vulns in Microsoft Products: decades of experience & a plethora of security holes
Interesting that Microsoft's decades of experience developing operating systems & business applications simply results in generation after generation of products with ever greater attack surfaces. Could this be because the more features one adds to software the more code has to be added, resulting in more & more exploitable security flaws that are inherent in the software development process itself?

How come the people whose full-time job is writing software can't develop a coding process that minimizes or even eliminates software attack surfaces? Shouldn't the vulnerability situation be getting better over time instead of worse?

I think the core of the problem is that Microsoft & its programmers make a living off the Churn Cycle, which means constant change for the sake of extracting money from the user community NOT measured change that makes needed improvements that are necessary to the bulk of users.

Consequently, the Windows Operating System has become a code-bloated monstrosity that has gotten almost impossible to secure, breaks anew with every forced update, negatively impacts critical legacy LOB application productivity, drains valuable working capital resources to maintain and facilitates the leaking of valuable business & personal information to those who mean to use that information for illegal financial gain.

At the end of the day, computer users just want a stable, familiar, secure and reliable operating system to host the critical software applications that they must rely on every day. If feature bloat & the churn cycle actually interfere with those needs, then the user community is actually just waiting patiently for an alternative to the system that they have come to hate...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...