Slashdot Mirror

← Back to Stories (view on slashdot.org)

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com)

Posted by EditorDavid on from the or-by-not-using-Microsoft-products dept.

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.

10 of 238 comments (clear)

  1. Also in the news by Opportunist · · Score: 4, Insightful

    94% of all programs won't run properly without those rights.

    Unfortunately for the longest time developers for Windows got away with not giving half a shit about security. To make matters worse, when MS finally decided to tighten the screws, they went overboard by a long shot. You cannot even install a simple program without elevated rights.

    And to make matters worse, "elevated" means "full access, anywhere". There is no granularity, it's only "can't do jack shit" or "total control". You cannot open up the program files to install a normal program without also giving that program the ability to drop a low level driver into your system.

    Then again, if that worked, a lot of people would probably notice just WHAT kind of crap their beloved games barf into the deeper intestines of their computers for the sake of the all holy DRM.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Also in the news by KiloByte · · Score: 5, Insightful

      Hell yeah. Especially browsers have never, ever a reason to run as root.
      -rwsr-xr-x 1 root root 18768 Feb 19 21:17 /usr/lib/chromium/chrome-sandbox

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Also in the news by tepples · · Score: 4, Insightful

      Games don't require admin.

      Unless they use third-party digital restrictions management.

  2. Re:Not viable on Windows 10 by Alcemenes · · Score: 5, Insightful

    I think you hit the nail on the head right there. I've always felt the interface to gain admin on Windows has been clunky and inconsistent at best.

  3. Turn it off by krray · · Score: 3, Insightful

    I found it a whole lot easier to just turn Windows off.

    1. Re:Turn it off by swillden · · Score: 3, Insightful

      I've spent this weekend trying to repurpose an old laptop as a media/streaming machine, and decided to go Linux rather than Windows. It most certainly has not been easier. Maybe if you've worked with the system for years and know the ins-and-outs it is second nature, but Linux has caused all sorts of issues I wouldn't have had on Windows.

      If you've worked with Windows for years and know the ins-and-outs of that system, it's a lot easier to set Windows up than something else. Personally, when I have to set up a Windows system, I have a lot of issues I wouldn't have on Linux.

      I know because I had to install a Windows system for the first time in about a decade a few months ago. It took me all day and lots of hair-pulling to figure out how to find and install all of the drivers needed to make the thing run. At the end I was still left with a few devices showing errors in the device manager, which I was simply unable to get working. It worked enough, so I gave up on the rest. The worst part of the process was that right after installation Windows had no functioning drivers, for ethernet, Wifi or USB, which made it really hard to get drivers onto the box. I solved this by booting a Linux LiveCD (which worked out of the box), creating a small FAT32 partition, downloading the ridiculously bloated 250MB (WTF?!?) ethernet driver onto it, then booting Windows again and installing from the FAT32 partition. I have no idea how a Windows guy would have solved that.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Re:Not viable on Windows 10 by aaarrrgggh · · Score: 5, Insightful

    It is very much on par with recommending not to plug the computer in to improve security. Too much of the system still requires administrative rights for it to be viable.

  5. Hiding the real point by Anonymous Coward · · Score: 2, Insightful

    The real point of this story is that by disabling admin rights Microsoft can pretend to the world that their products are not the least secure in their respective classes.

    Of course it completely fails to address the fact that unless you only want to do very simply things on a computer, admin rights are frequently required.

  6. Re:Duh? by TechyImmigrant · · Score: 5, Insightful

    Who runs with full admin rights?

    Define 'full'.

    I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  7. Re:Not viable on Windows 10 by benjymouse · · Score: 4, Insightful

    They can't make it work. Windows core architecture is fundamentally broken and insecure. See MS's documentation about security tokens and permissions. You can only unmask permissions since 2008R2. This means that your process starts with max permissions and is masked to reduce it. Totally unlike the authentication/authorization and security elevation process in pretty much every other system out there.

    No, your process starts with a *masked* token. The security subsystem creates *two* tokens when you log in: One with all of your privileges and one where "admin" privileges has been masked out. Switching from the masked token to the unmasked token is called *elevation*.

    The desktop process (explorer.exe) and any process that you launch will *by default* use the non-elevated token. This means that by default none of your user processes have admin privileges, even if you logged in using a admin account. It is understandable that someone only familiar with the Linux/Unix model does not get this at first, because Linux/Unix do not have *tokens*. The *nix model can only describe the permissions of a process through an "effective user" - i.e, a reference to an account. No token.

    On Windows, each process has a security token which by default is inherited from the parent process, but may differ. This is not possible on *nix where you need to refer to some user id to describe the privileges indirectly.

    An executable's manifest may indicate that the it needs certain admin privileges when executed. In that case, Windows will look up to see if your *unmasked* token fits the required privileges. If it does, Windows will prompt you for consent to use the elevated token. If you approve, the new process is launched with the elevated token that was created and stored when you logged in.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*