Compiled by Avecto, this report analyses the data from Patch Tuesday Security Bulletins issued by Microsoft throughout 2014. Microsoft bulletins are typically issued on the second Tuesday of each month, a date commonly referred to as "Patch Tuesday", and contain fixes for vulnerabilities affecting Microsoft products that have been discovered since the last bulletins release. Network administrators, SecurityManagers and IT Professionals then respond to the update as quickly as they are able, ensuring the patches are rolled out across their systems to protect against the known vulnerabilities.
The 2014 Microsoft Vulnerabilities Report is the second time Avecto has conducted this research. In 2013, the same report found a total of 147 vulnerabilities with a Critical rating where 92% could have been mitigated by removing admin rights. Comparing the two reports indicates a 63% year on year increase in the total number of Critical vulnerabilities.
Each bulletin issued by Microsoft contains an Executive Summary with general information regarding that bulletin. For this report, a vulnerability is classed as one that could be mitigated by removing admin rights if the sentence "Customers/users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights" is found within the Executive Summary of the bulletin in which that vulnerability appears.
When we talk about vulnerabilities being mitigated by admin rights removal, this refers to instances where a standard user account either nullifies the vulnerability itself or nullifies the impact of the vulnerability by preventing the exploit from gaining elevated privileges through the user. In all instances quoted, removing admin rights mitigates the risk of the vulnerability.
For a more detailed overview of the methodology used to produce this report, please see Appendix 1; Detailed Methodology.