As Microsoft reconsiders relaxing its stance on how Windows handles users’ requests for administrator privileges, a new study finds that doing away altogether with administrator rights could have removed 92 percent of the company’s critical vulnerabilities in 2008.
These include critical vulnerabilities — that is, known security holes that Microsoft (NASDAQ: MSFT) recommends patching immediately — in Windows, Office and the Internet Explorer browser, according to a study (available here in PDF format) from enterprise security products vendor BeyondTrust.
Additionally, removing administrator rights also would thwart exploitation of 106 of the total 154 vulnerabilities described by Microsoft in last year’s security bulletins, the company said.
“The problem is universal, from Windows 2000 up through Vista, and the Microsoft applications,” John Moyer, BeyondTrust’s CEO, told InternetNews.com.
The findings come as concerns over how much control, or how little, end users should be given by an operating system are again in the limelight, thanks to plans by Microsoft to revisit how the upcoming edition of Windows handles user privileges.
And while administrator-level rights have long been at the core of most security vulnerabilities, BeyondTrust’s conclusions highlight the sheer scope of the issue — and the difficulties Microsoft faces in deciding how much freedom to give users.
“Many of the problems that come from Microsoft vulnerabilities allow attacks by taking over administrator privilege on the target computer and then installing malware or running applications,” Don Retallack, research vice president at research firm Directions on Microsoft, told InternetNews.com.
However, IT staff cannot just remove all administrator rights blindly, because many applications need them in order to run. “The problem is that many third-party applications and some Microsoft applications require elevated privileges beyond those of the standard user in order to either
install or run,” Retallack said.
Changes ahead for admin rights in Windows
BeyondTrust’s findings may be especially ironic in that Microsoft is signaling its intent to include laxer controls on user privileges in the upcoming Windows 7.
In Windows Vista, a safeguard called User Account Control (UAC) springs into action when non-administrative users try to make administrator-level changes, asking in a pop-up screen whether to allow the change to proceed.
“The User Account Control feature in Windows Vista makes it easier to use Windows without administrator privileges,” a Microsoft spokesperson told InternetNews.com in an e-mail. “Administrators can also run most applications with limited privileges and elevate privileges when necessary to perform specific administrative tasks such as installing new software.”
But the pop-ups’ frequency annoyed users considerably and quickly became identified as one of Vista’s least-liked features. Perhaps worse, users grew accustomed to routinely clicking their approval in UAC — creating a potential security risk.
“Many third-party applications required administrator rights, and users would just click ‘Yes’ when prompted by the UAC in Vista,” Retallack said. “That became automatic, and they’d click on Web pages that would pop up and some of these installed malware.”
[cob:Special_Report]In response to some of the issues with UAC in Vista, Microsoft made changes in Windows 7, Vista’s successor, so that users can control how much notification they want to get.
In October, Steven Sinofsky, senior vice president of Windows and Windows Live at Microsoft, admitted that the company had meant well with Vista’s UAC, but “we possibly went too far.”
However, at least one Microsoft watcher claims to have found a security gap even in the new Windows 7 UAC. Long Zheng, who writes the I started something blog, said it is easy to disable the upcoming OS’s UAC without alerting the user.
Once UAC has been disabled, a hacker could automate a restart, add a program to the user’s startup folder and run it with full administrative privileges, Zheng said in his blog.
But the Microsoft spokesperson disputed the claim, adding that the only way Windows 7 UAC could be disabled is if malicious code is already running on the user’s PC.
For that to happen, a hacker would have had to exploit some other breach, or the user would have had to explicitly consented to running the malicious code, the spokesperson said.
Many large IT shops seek to sidestep the problem of users’ administrator rights by using applications that centrally manage these rights.
BeyondTrust and U.K.-based startup Avecto, for instance, offer products that enable enterprises to control administrator privileges. The BeyondTrust Privilege Manager uses Microsoft’s Group Policy feature to manage user access privileges, while Avecto’s Privilege Guard lets administrators elevate application privileges for each application as needed, without giving the user full administrative rights.
But such solutions may not fully address the problem in many cases, Laura DiDio, principal at analyst firm ITIC, told InternetNews.com.
“It’s an eternal struggle, security versus usability,” DiDio said. “I’ve talked to a lot of companies that have salespeople on the road who want administrative privileges and access into the network, and that can be hazardous to security. User error and misconfiguration still do more damage than a lot of the rogue code.”