• Removing administration rights from endpoints would mitigate 56 per cent of all critical Microsoft vulnerabilities from 2020.
• Controlling user privileges and employing stronger endpoint management under a Zero Trust framework are prudent initiatives for companies to follow as digital connectivity grows.
• Windows security subsystem is not built to withstand the use of admin rights, expert says.

Approximately 1.5 billion people use Windows operating systems each day, with various applications for Microsoft’s products reaching into homes, businesses and entertainment venues but 2020 has seen the total number of vulnerabilities in Microsoft products mark the single biggest jump – climbing from 858 in 2019 to 1,268 in 2020, registering a 48 per cent year-on-year increase.

Over the last five years, the total number of vulnerabilities in Microsoft products has skyrocketed, with a colossal 181 per cent increase since 2016.

According to BeyondTrust’s report on 2021 Microsoft Vulnerabilities, removing administration rights from endpoints would mitigate 56 per cent of all critical Microsoft vulnerabilities from 2020.

For the first time, Elevation of Privilege accounted for the largest proportion of total Microsoft vulnerabilities (44 per cent), almost tripling in number year on year (from 198 in 2019 to 559 in 2020). This might reflect a decreasing availability of easily compromised admin accounts, driving threat actors to utilise different attack vectors in cyberbreaches.

Controlling user privileges

“To adjust to the new work-from-home realities, companies need to better manage the proliferation of desktop and mobile devices, including applying patches and security updates,” Chuck Brooks, a cybersecurity expert and faculty member at Georgetown University, said.

Moreover, he said that controlling user privileges and employing stronger endpoint management under a Zero Trust framework are prudent initiatives for companies to follow as digital connectivity grows.

Morey Haber, Chief Technology Officer & Chief Information Security Officer at BeyondTrust, said that the sheer fact that patching must always occur is cybersecurity basic.

However, he said that deflecting an attack with good cybersecurity policies like the removal of administrative rights ultimately makes the environment, and home workers, even more secure.

And, most importantly, he said that honouring the least privilege can buy your organisation time to patch when critical vulnerabilities are published, and added that threat actors are getting more sophisticated in their attacks.

“Is Microsoft code becoming less secure as they adopt rapid agile releases, or is the bloat in sophistication and features just leading to more vulnerabilities? Realistically, it is probably a combination of all three, but it is counter-intuitive to think if you have fewer products to support then you should have fewer vulnerabilities. That is clearly not the case for 2020 and as we know now, 2020 will go down in history for a variety of events,” he said.

Sami Laiho, Microsoft MVP and Ethical Hacker, said that the Windows security subsystem was not built to withstand the use of admin rights.

“Allow-list will let you run things from your C:\Windows-folder, but an admin can put anything in there. So, to make this work for admins, you would need to create thousands of rules instead of one. The removal of admin rights is a great proactive protection, as you can see from the numbers in this report. “We need to protect the components that execute malicious payloads, so our most important apps to protect are things that browse the web or read email. The numbers in this report tell you the great results removing admin rights will give you in protection for Outlook, Office, IE, and Edge,” he said.

Highlights of the report:

• In 2020, record-high 907 vulnerabilities were reported across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 operating systems. Windows 10 was touted as the “most secure Windows OS” to date when it was released, yet it still experienced 132 Critical vulnerabilities last year. Of all the Windows vulnerabilities discovered in 2020, 132 were considered Critical. Removing admin rights could have mitigated 70 per cent of these critical vulnerabilities.
• Microsoft Office vulnerabilities rose from 60 to 79 in 2020. Of the 79, only 5 were considered critical and removing admin rights would have mitigated 4 of them (80 per cent) in all Office products (Excel, Word, PowerPoint, Visio, Publisher, and others).
• A total of 902 vulnerabilities were reported in Microsoft Security Bulletins affecting Microsoft Windows Servers in 2020 — a 35 per cent increase over the previous year. Of the 138 vulnerabilities with a critical rating, 66 per cent could be mitigated by the removal of admin rights.
• 87 per cent of critical vulnerabilities in Internet Explorer and Microsoft Edge would have been mitigated by removing admin rights.