Last year, Avecto released its first Microsoft Vulnerabilities Report celebrating 10 years of "Patch Tuesdays" with analysis of the vulnerabilities from 2013. Following on from the success of the original report Avecto have crunched the numbers to analyze the 2014 Microsoft vulnerabilities, revealing how the removal of admin rights is more important than ever.
The analysis is based on recommendations by Microsoft as to how its customers can mitigate the impact of known critical security vulnerabilities in Microsoft products or components. The report shows mitigation of risk through the removal of admin rights to lessen the impact of a vulnerability being exploited.
Example - MS14-060
Let's take a look at why removal of admin rights is important with the infamous CVE-2014-4114 vulnerability, better known as Sandworm. This zero day vulnerability allowed attackers to execute code on a target machine when they opened an Office document with a specially crafted OLE object. Sandworm was identified being used in the wild to target a variety of sectors including government organisations across the globe.
Once disclosed to Microsoft the vulnerability was fixed in the MS14-060 security bulletin. If we look at this security bulletin we see Microsoft state that mitigation factors that "could reduce the severity of exploitation of a vulnerability" include "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
"If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
- MS14-060 Security Bulletin
As this vulnerability leads to code execution it is far more dangerous if an admin account is exposed. The attacker could perform machine-wide attacks - for example disable security solutions, install rootkits and malicious programs, create new user accounts, possibly even steal the credentials of other (domain admin) users and propagate to other endpoints on the network.
As a specific example; pass-the-hash attacks use fake application failures to attract a network admin to log on to a compromised endpoint to resolve a support case. By logging on they expose their credentials, which can then be used to infect all other endpoints the user has access to. This is why Microsoft say that removal of admin rights is a mitigating factor that could reduce the severity of exploitation.
This Avecto research aims to highlight the risk of logging on with full admin rights - not only for these known and patched vulnerabilities, but as a strategy for mitigating the impact of future zero-day vulnerabilities - unknown to detection-based products - where a computer and corporate network may be breached long before it is ever detected. There have been reports of Advanced Persistent Threats (APT's) remaining undetected for years, once they have managed to embed themselves into the OS.
Although a key defense, removal of admin rights can only mitigate the impact and not always prevent the attack. As InfoSec professionals are painfully aware, in a Cryptolocker type of attack the user data would still be vulnerable. This type of attack is exactly the reason Avecto developed Sandboxing technology to protect the users data. Defendpoint's Sandbox module contains unknown internet threats in a separate standard user account so that malware cannot access the system files or the user's private data. Combining the benefits of least privilege with secure isolation.
This not only protects private data but saves the time needed to re-image systems or restore data. Even if the malware drops temporary files or sets run keys in the sandbox these are purged automatically on reboot or log off.
Application Control is also a highly effective way of ensuring that unknown, untrusted or malicious code is not allowed to run. Combined with Privilege Management, you can automatically allow ist areas of the build that the standard user cannot alter such as Program Files and core OS files. This can also be layered within the Sandbox to ensure that malware executable payloads dropped in the user profile cannot execute and cause damage.
The Avecto Vulnerabilities Report has shown that removal of admin rights is key to mitigating attacks on the endpoint. This however is only part of building a proactive defence for the endpoint, moving beyond mitigation we can start to block threats from gaining execution using application control and isolate vulnerable applications such as the web browser from private data using Sandboxing. This proactive approach provides excellent defences against even the most advanced malware attacks.
If you have any questions about mitigating vulnerabilities or how Defendpoint combines all the benefits of Privilege Management and Sandboxing with Application Control, creating a powerful, proactive endpoint defence we would be delighted to hear from you.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.