Remote code execution
The total number of issues rose by 111 percent between 2013 and 2017, according to a report from Avecto published last week and spotted by Computing.co.uk. Almost half of the vulnerabilities found could have enabled an attacker to remotely execute arbitrary code on a target system, which might enable them to obtain complete control.
A record high of 685 vulnerabilities were found last year across Windows Vista, 7, 8.1 and 10. The number of critical vulnerabilities is up by 60 percent since 2013, although 80 percent of these could be mitigated by removing user administrator rights. However, many PC users require the flexibility of administrator logins and this technique won’t resolve every issue.
Microsoft Office has seen a notably high increase in the number of potential flaws. 89 percent more flaws were found in the software during the period. Removing admin rights would only address the problems in 60 percent of cases. Although there’s a potential for security vulnerabilities in any software, there’s a clear trend in the report that Microsoft’s software seems to be getting less secure.
Web-connected features
Some explanation of the apparent reduction in security can be found in the features added to Microsoft products over the past five years. Office in particular has embraced the cloud and now ships with a multitude of Internet-enabled capabilities. These range from OneDrive cloud sync through to web image pickers, video embedders and the ability to import content from external services.
While web-connected features can improve the user experience, they’re also potential entrypoints for attackers. A flaw in a built-in web view control could be exploited by malicious actors to obtain a foothold into the software. Prior to Office 2013, Microsoft Office’s online capabilities were comparatively restricted, which might explain the surge in vulnerabilities noticed in later versions.
READ NEXT: “Chaos” backdoor lets attackers gain control of Linux servers
According to Avecto, there’s no simple way to resolve the problems. While sandboxing applications and restricting user privileges help to mitigate issues, the increasing functionality of applications is presenting new options to attackers. Enterprises should still be taking preventative steps to assess whether users need the permissions they’ve been granted. However, they may also want to consider disabling the cloud-connected aspects of software packages, particularly if the new features are going unused.
“Despite the continued rise in vulnerabilities impacting Microsoft software, there are actions that enterprises can take to ensure that they’re protected without sacrificing productivity,” said Mark Austin, Co-Founder and CEO of Avecto. The challenges organizations face to improve security have not changed, yet many are still unaware that by simply removing admin rights, the risk of so many threats can be mitigated.”
