1st Half 2013 Mozilla Privilege Vulnerabilities
In the past 6 months Mozilla has released 62 Security Bulletins addressing 88 vulnerabilities. Of the 62 Mozilla Security Bulletins released more than 1 out of every 2 bulletins had vulnerabilities that could be used to exploit the rights of the logged on user. All of the bulletins released affected Mozilla Firefox, which means that any user not keeping up to date with their Firefox browser is in imminent danger unless some privilege management software is in place. Here’s a breakdown of the Mozilla Security Bulletins:
|% of Bulletins with privilege exploits||55%|
|% of Vulnerabilities with privilege exploits||67%|
Mozilla classifies the bulletins as critical, high, moderate, and low. Similar to Microsoft, critical vulnerabilities can run attacker code and install software without users knowing. High vulnerabilities also happen without users knowing but can only disclose information to attackers. In most cases, exploit of critical and high vulnerabilities would come in the form of visiting a malicious website or legitimate website serving up malicious content as is often done through ad networks. Moderate vulnerabilities can only occur if a user has a non-default configuration, and Low vulnerabilities pose no major threat to users. With that classification in mind here’s a breakdown of the Mozilla Bulletin Severity and Vulnerabilities with Privilege Exploits:
|Bulletin Severity||Vulnerabilities with Privilege Exploits||Total Vulnerabilities||Share of Vulnerabilities Impacted by Privilege|
With 96% of the 52 critical vulnerabilities having privilege exploitation, any user who uses Firefox and uses an administrator account should be concerned. In layman’s terms, in the past 6 months there have been 50 known ways that an attacker can execute code on a user’s computer and gain full access using the privileges of the user, which roughly calculates into 2 new vulnerabilities a week for a hacker to use. Privilege management software is a proven method to limit these vulnerabilities. Privilege management software, unlike patching, can limit both existing and unknown vulnerabilities from being exploited by always limiting the privileges of the application regardless of the user’s account type.
Software vulnerabilities will be most dangerous to users and businesses if least privilege management software best practices aren’t followed. Those best practices include removing administrative rights from end-users, running applications with restricted privileges, and securing administrator accounts. Privilege management software such as Arellia Application Control Solution and Local Security Solution can reduce the impact of vulnerabilities by securing the rights of applications and users.