Large Number of Windows Security Breaches Caused by Administrative Privileges
An article linked today on Slashdot revealed that a vast majority of security breaches could be prevented if users were not logged in with administrative priveleges. While this is not terribly surprising, the numbers were rather shocking. The report suggests that 92% of the 154 major security breaches were caused by users having administrative priveleges. Windows Vista’s User Accounts Control (UAC) has long been criticized for its excessive use of popup windows, and it seems that aside from being an annoyance, the measures put in place to help secure a system have become a vulnerability.
This issue arose due to a seperate software development compnay, BeyondTrust Corp., investigating the issue of Windows security breaches. The results they found showed the large number of attacks that could be prevented by having fewer rights on the user account. This is a classic example of the rule of least privilege, which suggests that only the minimum required amount of access should be given to those who are using a resource, though it is a bit more tricky to apply in the case of one’s personnal computer.
It certainly seems that Microsoft could do a lot more in the department of security with their operating systems when the software they install to prevent security breaches becomes a vulnerability. The article cites recent news in saying that some bloggers were able to demonstrate the vulnerabilities in Vista’s UAC. The details of their attack are not very specific, but suggest that they were able to run code to infiiltrate the system as an administrator and make malicious changes. The article states that Microsoft’s response was that there was no error in the way the software was performing, which is a bit troubling. Many would say that the Vista UAC is at best a nuisance that trains a user to click the popup windows warning that a change has been made without reading them, and the additional prospect of security risks is rather unsettling.
The article concludes by saying that the majority of users will not need to worry too much about these exploits, but it certainly can’t hurt to spend a smaller amount of time logged into your system as an administrator if it is unnecessary.