February 20, 2014, 10:54 AM — Microsoft published 147 vulnerabilities in 2013 that were rated as Critical. Critical, however, is a relative term, and there is one simple thing anyone can do that would guard against almost every single Critical vulnerability according to a new report from Avecto.
In its 2013 Microsoft Vulnerabilities Study, Avecto found that you could mitigate almost every single Critical vulnerability simply by removing administrator rights. The exact number was 92%, but that brings the number of serious threats from 147 down to around 12.
Avecto also determined this would circumvent 91% of the Critical flaws in Office, and 100%--as in every single Critical vulnerability--of those that impact Internet Explorer.
Taken in the larger context of all vulnerabilities published by Microsoft, as opposed to just the Critical ones, the efficacy of taking away administrator privileges drops to 60%. However, the ability to make more than half of the vulnerabilities essentially go away by just changing from administrator to standard user privileges is nothing to scoff at.
There is another piece of this puzzle that the Avecto report doesn't really address: Windows XP. Starting with Windows Vista, Microsoft introduced the concept of User Account Control (UAC), which enforces the concept of running with least privilege and requests authorization before elevating privileges for tasks that require Administrator rights.
The other aspect of Windows XP that skews the data is that Windows XP is simply more vulnerable. Generally, a flaw that exists for various versions of Windows is only Important or even Moderate on Windows 7 or Windows 8, but is Critical when exploited on Windows XP because it lacks many of the advanced security controls in the more modern versions of the operating system.
If you take Windows XP out of the mix--which will happen in April when Microsoft support for the archaic OS expires--there will likely be far fewer security bulletins rated as Critical, and the idea of putting systems at risk by running with unobstructed administrator privileges will be mostly be a thing of the past.
Regardless of which version of Windows you use, though, the Avecto report underscores a very simple reality. An attacker can typically only execute malicious code in the context of the currently logged in user, and if that user is a standard user without access to critical system functions, and with no ability to run unknown software without explicit administrator permission, most threats would be rendered harmless.