To Trust or Not to Trust: When it comes to Microsoft vulnerabilities, that is the question

I always thought BeyondTrust’s name had to do with going “beyond” placing blind trust in your employees and just giving them the fewest privileges needed to do their jobs—bypassing the need for trust, in essence. But now I’m thinking it also might have something to do with going beyond putting your trust in Microsoft’s vulnerability reports and Patch Tuesdays.

My little meditation on BeyondTrust’s name was prompted by a report I received from said company. BeyondTrust annually evaluates Microsoft security bulletins and assesses which security vulnerabilities could be avoided by using the security best practice of assigning least privilege to users—in other words, getting rid of the all-powerful admin rights that many users have. Some interesting bits the report reveals:

1. Microsoft Office vulnerabilities. Of the 55 Office vulnerabilities addressed in Microsoft security bulletins in 2009, all 55 could have been mitigated by removing admin rights.

2. Internet Explorer vulnerabilities. 94 percent of vulnerabilities in all versions of IE and 100 percent of vulnerabilities in IE 8 could be solved by removing admin rights.

3. Windows 7 vulnerabilities. Of the 10 critical Windows 7 vulnerabilities published since Windows 7’s release in October 2009, 9 of those vulnerabilities could be mitigated by configuring users without admin rights.

BeyondTrust’s report also notes that, although Microsoft does “a commendable job” disclosing vulnerabilities and providing patches, that it takes time to identify vulnerabilities. So much for putting your trust in Microsoft. But whether or not trust is an issue, for some organizations it just takes a while to deploy patches. If you’d like to look at the report, the company has a PDF you can look at. If you don't trust me.