Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/25/2019
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Vulns in Microsoft Products Continue to Increase

The good news: Removing admin privileges can mitigate most of them, a new study by BeyondTrust shows.

A new analysis of Microsoft's security updates in 2018 suggests the company's long-standing efforts to build more secure products continue to be very much a work in progress.

Microsoft disclosed more security vulnerabilities — 700 — in total across its operating system, browser, and office products last year than it did in 2017.  

Since 2013, vulnerabilities in Microsoft products have, in fact, more than doubled rather than go down, with even supposedly secure technologies such as Windows 10 and Edge having a disturbingly high number of them, an analysis by BeyondTrust has found.

The one mitigating factor for enterprise organizations is that the threat from a vast majority of these flaws can be neutralized by properly managing the administrative rights available to Windows users, the security vendor said in a report Thursday.

"Eighty-one percent of vulnerabilities for 2018 can be mitigated just by removing administrative rights" on a Microsoft Windows device, says Morey Haber, CTO and CISO at BeyondTrust. "Microsoft cannot remove administrative rights by default. It is needed to initially set up and configure any new deployment of a Windows asset." So organizations need to ensure the rights are removed or disabled after initial setup, he notes.

Of the 700 vulnerabilities that Microsoft disclosed last year, 189 were classified as being of critical severity. Though that number was lower than the 235 critical vulnerabilities disclosed in 2017, over a five-year period the number of critical flaws in Microsoft products actually increased 30%, BeyondTrust's analysis shows.

As in previous years, remote code execution (RCE) flaws accounted for the largest proportion of vulnerabilities in Microsoft products last year. Of the 700 total flaws, 292 were remotely exploitable and 178 were rated as critical. Since 2013, the number of RCE flaws increased 54% overall.

Significantly, even Microsoft's newer Windows 10 operating system and Edge browser continue to be riddled with security issues. Last year a total of 112 severe flaws were reported in Edge — a sixfold increase from 2015, when the browser first became available on Windows. Meanwhile, Windows 10, which Microsoft has positioned as one of its most secure, had 474 vulnerabilities, of which more than one-third was critical. On a positive note, the number of flaws in Windows 10, both critical and non-severe, was lower than in 2017. 

BeyondTrust found that most flaws in Microsoft products pose a threat only to systems where administrator rights are enabled. For example, removing administrator rights would have mitigated 84% of the critical flaws in Windows 10 last year. The same was true for 100% of Edge browser vulnerabilities, 85% of the flaws in Windows, and 83% of the flaws in Windows servers.

The situation continues to exist for two primary reasons, Haber says. Many organizations are hesitant to disable administrator privileges out of concern that doing so would disrupt the end user experience. Inertia is another big factor. "It is much simpler for organizations to grant administrative rights and allow the end user to 'just work' versus assigning privileges," he says.

In reality, disabling administrator-level access on Windows devices takes little effort and can be done via Group Policy Preferences for all assets in a domain. However, when doing so, administrators need to ensure they are not degrading the experience for users who might need that access. Multiple tools are available from Microsoft and others that allow administrators to enforce a least privilege model, down to a service or registry key, Haber says.

The tools let standard users perform needed administrative asks without granting them admin rights. "All organizations should attempt to embrace these strategies to lower risk," Haber says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
4/29/2019 | 11:11:22 AM
Security Vulns in Microsoft Products: decades of experience & a plethora of security holes
Interesting that Microsoft's decades of experience developing operating systems & business applications simply results in generation after generation of products with ever greater attack surfaces. Could this be because the more features one adds to software the more code has to be added, resulting in more & more exploitable security flaws that are inherent in the software development process itself?

How come the people whose full-time job is writing software can't develop a coding process that minimizes or even eliminates software attack surfaces? Shouldn't the vulnerability situation be getting better over time instead of worse?

I think the core of the problem is that Microsoft & its programmers make a living off the Churn Cycle, which means constant change for the sake of extracting money from the user community NOT measured change that makes needed improvements that are necessary to the bulk of users.

Consequently, the Windows Operating System has become a code-bloated monstrosity that has gotten almost impossible to secure, breaks anew with every forced update, negatively impacts critical legacy LOB application productivity, drains valuable working capital resources to maintain and facilitates the leaking of valuable business & personal information to those who mean to use that information for illegal financial gain.

At the end of the day, computer users just want a stable, familiar, secure and reliable operating system to host the critical software applications that they must rely on every day. If feature bloat & the churn cycle actually interfere with those needs, then the user community is actually just waiting patiently for an alternative to the system that they have come to hate...
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...