Excerpt from Security Now
10 years. And before the podcast began, by a year or two, that was in place. And
of course very controversial at the time. People were, I don't want Microsoft
automatically updating my system because it used to be we would have to go get those
updates and install them ourselves, or they would be issued as service packs, not just
this continuous dribbling dribble into our machines. But it's been 10 years. So here's the
breakdown. During that year, 2013 of critical rating, so there were 147 vulnerabilities
published during 2013 with critical rating. 92, as I said, were mitigated, blocked, by
removing admin rights. I'm sorry, not 92, 92% were blocked by removing administrator
rights. 96% of critical vulnerabilities affecting the Windows operating system, so nearly
all, 96% of those vulnerabilities which affected the Windows OS were mitigated by
removing admin rights. 100% of the vulnerabilities affecting IE were mitigated by
removing admin rights.
100%. All you had to do is switch to a standard user. In the control panel, under
Windows Users, you have a choice, be an admin user or a standard user. And
unfortunately, by default, when you set Windows up, you're an admin user. That's what
you get. So you need to create another user, set that up as a standard user, and that's
the one you use. And then, when you need to do something that you're being blocked by,
you need to enter the admin user's password. That's the way to be safe. Not even UAC
gives you this level of safety. You need to be a standard user and then provide the admin
password when you need to switch into the admin account, essentially. 91% of
vulnerabilities affecting Microsoft Office would be blocked by removing admin rights and
100%, all of the critical remote code execution vulnerabilities, and 80% of critical
information disclosure vulnerabilities mitigated by removing admin rights.
So the takeaway here is this is really important. If you simply stop being an admin, if
history is any lesson, you're way safer. You are completely safe based on history from IE
exploits, and those are the big way things get in is through Internet Explorer, through
web browsing. And critical remote code execution is also how this stuff happens. 100%
safe if you're not an admin. So we've got 41 days to go with XP. Certainly XP users ought
to seriously consider no longer running as an administrator. Just run as a standard user,
and use admin account only when you really know you need to.
Leo: You think that would make a difference?
Steve: I think it would really make a difference.