Dailydave mailing list archives
Re: So, the security industry has given up on the principles of least privilege and separation?
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 16 Feb 2009 16:28:45 +0100
"Removing Admin Rights Stymies 92% of Microsoft's Security Vulnerabilities Nine of out 10 critical bugs reported by Microsoft last year could have been made moot, or at least made less dangerous, if people ran Windows without administrative rights, a developer of enterprise rights management software claimed Tuesday".
If you look at the vague, short, management-oriented white paper that backs with this PR claim (http://beyondtrust.com/documentation/whitePapers/wp_VulnerabilityReport.pdf) - by the way, from a company that happens to make account privilege management software - it seems that they are essentially saying two things: 1) With 100% of client software vulnerabilities, the attacker can do a bit less to the system if user is not running as root (duh), 2) About 92% of all vulnerabilities in Microsoft bulletins affected client software, exclusively (MSIE, Office, etc) or not (shared image, XML parsing libraries, etc). The transition made in the magazine, from "attacker can do a bit less" to "critical bugs could be made moot" seems to be a pretty fallacious one, however. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- So, the security industry has given up on the principles of least privilege and separation? Dave Korn (Feb 14)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Joanna Rutkowska (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Andre Gironda (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 17)