Commenting on Microsoft’s decision to issue an out-of-band patch for a critical Windows zero-day Windows flaw that allows remote code execution, Avecto says that the flaw is notable because it only affects users logged in when using an Admin(istrator) account.
Mark Austin, CTO of the Windows privilege management specialist, says that the vulnerability could allow remote code execution if a user with local administrator rights runs – or installs – a specially crafted, signed portable executable file on an affected system.
As Microsoft observes in its advisory, if a user is logged on with Admin rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; as well as create new accounts with full user rights.
“The risks associated with the MS12-024 WinVerifyTrust vulnerability are significantly reduced when users operate with standard rights, since attackers can only exploit users with higher access rights,” he said, adding that the fact that Microsoft issued an out-of-band patch indicates the potential severity of the security flaw.
The most important take-out from this flaw – and the background on the security patch from Redmond – says Austin, is that, again as Microsoft notes: `users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’
This is what security professionals call least privilege approach and forms the bedrock of a well managed and secure desktop – which is an approach that is central to Avecto’s security strategy. Minimising administrative privileges is an exercise in the principle of least privilege – as in a properly designed, administered and maintained environment there is no requirement for users to have admin privileges on their day-to-day account.
“Although this critical patch is seemingly buried along with a number of updates from Redmond this week, it confirms the reasoning behind our company’s advice to clients about the need for a least privilege approach on all aspects of their security.”