Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Management Community Blog

Microsoft Privilege Exploitation for 1st Half of 2012

Created: 20 Aug 2012
mmurphy7's picture
+1 1 Vote
Login to vote

With the first half of 2012 now over, here is Arellia’s analysis of Microsoft vulnerabilities and those with privilege exploitation:

 Bulletins

42

 Vulnerabilities

97

 Bulletins with Privilege Exploitations

19

 Vulnerabilities with Privilege Exploitations

46

 % of Bulletins with Privilege Exploitation

45.2%

 % of Vulnerabilities with Privilege Exploitation

47.4%

As a refresher from the Introduction on Privilege Exploitation, privilege exploitation is where the malicious software takes advantage of the rights of the logged in user to change the configuration of the local computer. Further analysis of the vulnerabilities with privilege exploitation by Microsoft software component is as follows:

Software

 Vulnerabilities

Bulletins

 Windows Server 2008

7

10

 Windows XP

6

9

 Windows Vista

6

9

 Windows Server 2003

6

9

 Windows 7

6

9

 Office

4

9

 Internet Explorer 6

3

16

 Internet Explorer 7

3

16

 Internet Explorer 8

3

16

 Internet Explorer 9

3

16

 Visio

2

6

 SQL Server

1

1

As noted above, 47.4% of all the vulnerabilities posted by Microsoft can lead to privilege exploitation, with Windows operating system having the most vulnerabilities with privilege implications. Nearly all of the vulnerabilities involve opening a maliciously crafted file or webpage. Common attack vectors for most files would be via an e-mail attachment or malicious URL. When the malicious file or webpage is then launched, it will have be able to execute any actions that the logged in user can, thus inflicting more damage if the user is an administrator.

Everyone with an e-mail account today receives spam. According to Pingdom.com 81% of spam is fortunately stopped by cooperate filters, but what happens when a trusted friend or colleague’s e-mail account is hacked? Will the malicious link or file in their e-mail be stopped? Most likely it will not. What will happen to a user’s computer if they click on the link or open the file?

Internet Explorer exploits differ because they usually happen within the browser when a webpage executes malicious code. While it may be easy for users to tell that an e-mail was hacked when they receive a link to suspicious and unfamiliar website, users may be more susceptible to click on external links in a legitimate website. These links can be just as dangerous though because, according to Symantec, “61% of malicious sites are actually regular Web sites that have been compromised and infected with malicious code.” This malicious code can be found in some hidden webpage that the site owner is unaware of, or through a carefully crafted ad that appears on the website. Legitimate ad networks have been known to have malicious ads placed into their networks and proliferated to their client’s websites.

Another issue with links in e-mails is the ambiguity of where a link might go. For example, I recently received an e-mail that from a friend containing a URL that had been shortened by Bit.ly, I used a trace to follow this link that redirected me twice until I landed at some “How to get rich quick” website. With most users clicking on links from friends, family, and colleagues, it is very important for businesses to remove Administrator Rights from their users to protect from web browser privilege exploitation because most of the Microsoft Internet Explorer vulnerabilities give an attacker the same rights as the logged in user.

Using Arellia Application Control Solution, applications can be run with limited privileges and minimize the impact of these security vulnerabilities. For more information, take a look at Arellia Application Control Solution.

About Arellia: Arellia provides solutions for privilege management, application whitelisting, securing local administrator accounts, and compliance remediation. Arellia products are integrated with the Symantec Management Platform and sold through Symantec.