Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/25/2019
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Vulns in Microsoft Products Continue to Increase

The good news: Removing admin privileges can mitigate most of them, a new study by BeyondTrust shows.

A new analysis of Microsoft's security updates in 2018 suggests the company's long-standing efforts to build more secure products continue to be very much a work in progress.

Microsoft disclosed more security vulnerabilities — 700 — in total across its operating system, browser, and office products last year than it did in 2017.  

Since 2013, vulnerabilities in Microsoft products have, in fact, more than doubled rather than go down, with even supposedly secure technologies such as Windows 10 and Edge having a disturbingly high number of them, an analysis by BeyondTrust has found.

The one mitigating factor for enterprise organizations is that the threat from a vast majority of these flaws can be neutralized by properly managing the administrative rights available to Windows users, the security vendor said in a report Thursday.

"Eighty-one percent of vulnerabilities for 2018 can be mitigated just by removing administrative rights" on a Microsoft Windows device, says Morey Haber, CTO and CISO at BeyondTrust. "Microsoft cannot remove administrative rights by default. It is needed to initially set up and configure any new deployment of a Windows asset." So organizations need to ensure the rights are removed or disabled after initial setup, he notes.

Of the 700 vulnerabilities that Microsoft disclosed last year, 189 were classified as being of critical severity. Though that number was lower than the 235 critical vulnerabilities disclosed in 2017, over a five-year period the number of critical flaws in Microsoft products actually increased 30%, BeyondTrust's analysis shows.

As in previous years, remote code execution (RCE) flaws accounted for the largest proportion of vulnerabilities in Microsoft products last year. Of the 700 total flaws, 292 were remotely exploitable and 178 were rated as critical. Since 2013, the number of RCE flaws increased 54% overall.

Significantly, even Microsoft's newer Windows 10 operating system and Edge browser continue to be riddled with security issues. Last year a total of 112 severe flaws were reported in Edge — a sixfold increase from 2015, when the browser first became available on Windows. Meanwhile, Windows 10, which Microsoft has positioned as one of its most secure, had 474 vulnerabilities, of which more than one-third was critical. On a positive note, the number of flaws in Windows 10, both critical and non-severe, was lower than in 2017. 

BeyondTrust found that most flaws in Microsoft products pose a threat only to systems where administrator rights are enabled. For example, removing administrator rights would have mitigated 84% of the critical flaws in Windows 10 last year. The same was true for 100% of Edge browser vulnerabilities, 85% of the flaws in Windows, and 83% of the flaws in Windows servers.

The situation continues to exist for two primary reasons, Haber says. Many organizations are hesitant to disable administrator privileges out of concern that doing so would disrupt the end user experience. Inertia is another big factor. "It is much simpler for organizations to grant administrative rights and allow the end user to 'just work' versus assigning privileges," he says.

In reality, disabling administrator-level access on Windows devices takes little effort and can be done via Group Policy Preferences for all assets in a domain. However, when doing so, administrators need to ensure they are not degrading the experience for users who might need that access. Multiple tools are available from Microsoft and others that allow administrators to enforce a least privilege model, down to a service or registry key, Haber says.

The tools let standard users perform needed administrative asks without granting them admin rights. "All organizations should attempt to embrace these strategies to lower risk," Haber says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Moderator
4/29/2019 | 11:11:22 AM
Security Vulns in Microsoft Products: decades of experience & a plethora of security holes
Interesting that Microsoft's decades of experience developing operating systems & business applications simply results in generation after generation of products with ever greater attack surfaces. Could this be because the more features one adds to software the more code has to be added, resulting in more & more exploitable security flaws that are inherent in the software development process itself?

How come the people whose full-time job is writing software can't develop a coding process that minimizes or even eliminates software attack surfaces? Shouldn't the vulnerability situation be getting better over time instead of worse?

I think the core of the problem is that Microsoft & its programmers make a living off the Churn Cycle, which means constant change for the sake of extracting money from the user community NOT measured change that makes needed improvements that are necessary to the bulk of users.

Consequently, the Windows Operating System has become a code-bloated monstrosity that has gotten almost impossible to secure, breaks anew with every forced update, negatively impacts critical legacy LOB application productivity, drains valuable working capital resources to maintain and facilitates the leaking of valuable business & personal information to those who mean to use that information for illegal financial gain.

At the end of the day, computer users just want a stable, familiar, secure and reliable operating system to host the critical software applications that they must rely on every day. If feature bloat & the churn cycle actually interfere with those needs, then the user community is actually just waiting patiently for an alternative to the system that they have come to hate...
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1303
PUBLISHED: 2021-01-20
A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by...
CVE-2021-1304
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1305
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1312
PUBLISHED: 2021-01-20
A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor API on an affected device. The vulnerability is due to inadequate provisioning of kernel parameters f...
CVE-2021-1349
PUBLISHED: 2021-01-20
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. The vulnerability is due to insufficient input validation by the web-based management interf...