Nine of out 10 critical bugs reported by Microsoft Corp. last year could have been made moot, or at least made less dangerous, if people ran Windows without administrative rights, a developer of enterprise rights management software claimed today.
BeyondTrust Corp., which touts its Privilege Manager as a way for companies to lock down PCs, tallied the individual vulnerabilities that Microsoft disclosed in 2008, then examined each accompanying security bulletin.
If the bulletin’s “Mitigating Factors” section, the part that spells out how to lessen the risk of attack or eliminate it entirely, said that users with fewer rights “could be less impacted than users who operate with administrative rights,” BeyondTrust counted the bug.
The vast majority of critical Microsoft vulnerabilities – 92 per cent of them – could have been mitigated by stripping users of administrative rights, said John Moyer, the CEO of BeyondTrust.
“This speaks to what enterprises should be doing,” Moyer said. “Clearly, eliminating administrative rights can close the window of opportunity of attack.”
Of the 154 bugs published and patched by Microsoft in 2008, critical or not, 69 per cent would have been blocked or their impact reduced by configuring users to run without administrative rights, said the company.
When BeyondTrust looked at the vulnerabilities patched for Microsoft’s browser, Internet Explorer (IE), and its application suite, Office, it found that 89 per cent of the former and 94 per cent of the latter could have been stymied by denying users administrative privileges.
“We were surprised to see how large the number was,” said Scott McCarley, the company’s director of marketing. “It really drives home how critical a role [rights] play.”
Microsoft’s approach to user rights has been a matter of debate of late.
Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes “I Started Something,” argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
UAC, a security feature that debuted in 2007 with Windows Vista, prompts users for their consent before Windows allows tasks such as program installations to continue.
The feature has been roundly criticized since Vista’s launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC’s problems last year, when it named it one of the five factors that contributed to Vista’s slow adoption pace.
In Windows 7, UAC has been modified to pop up alerts less often. It also has been changed so that by default, the feature is set to “Don’t notify me when I make changes to Windows settings,” said Rivera and Long,
“Windows 7 now ships with UAC configured to hide prompts when users change Windows settings,” noted Rivera in a post to his blog on Friday. “While this mode still ensures normal applications can’t overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.
“Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart,” Rivera continued.
The danger, Rivera and Long said, is that attackers can easily disable UAC without involving the user, and — since by default Windows 7 doesn’t warn when such changes are made — without the user’s knowledge.
The pair created a proof-of-concept script that disables UAC — one of Microsoft’s most heavily promoted security features in the past two years — and posted it online.
“We soon realized the implications are even worse than originally thought,” said Long. “You could automate a restart after UAC has been changed, add a program to the user’s Startup folder, and because UAC is now off, run with full administrative privileges ready to wreak havoc.”
Microsoft disagreed with Rivera’s and Long’s conclusion.
“This is not a vulnerability,” said a Microsoft spokesman in an e-mail. “The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level.”
The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack.
“In order for malicious code to have gotten on to the box,” the spokesman continued, “something else [must have] already been breached, or the user has explicitly consented.”
Andrew Storms, director of security operations at nCircle Network Security Inc., took Microsoft’s side in the discussion.
“I would agree [that] it is functioning as designed,” said Storms via instant messaging. “The word ‘vulnerability’ is probably misplaced in this case. [And] the point is that it had to have gotten on there and run by something … a user clicking, some third-party software, etc.”
The Microsoft spokesman declined to answer a question about whether the company would alter UAC behavior in Windows 7 as it moves from beta to the next milestone, a release candidate.
Long, however, noted that on the official feedback forum for Windows 7 beta testers, Microsoft has hinted that it will not change the UAC default settings.
“That proof-of-concept illustrates how important it is that users log in as a standard user, not as administrative users,” said McCarley. Only users running Windows with administrative rights are vulnerable to the attack.
Microsoft has refused to call the Windows 7 UAC issue a security bug, and instead has insisted that the behavior exploited by the malicious script is by design.