Q: Restricted user rights and vulnerabilities

Dear Expert,

I know that a restricted user is less vulnerable to most exploits but is knowing that your users have restricted access enough of a reason NOT to patch? I am advocating that my IT support team update/ patch the following software for our end users; QuickTime, Java, Adobe Reader and Acrobat. Currently all of our installed versions have multiple known vulnerabilities. I am being told patching is unnecessary because 95% of our users have restricted user rights and therefore cannot be exploited.

Will you please clarify? I understand how restricted user rights increases security, but is that enough of a layer to justify not patching. When I inquired about scanning thumb drives, this same answer is given, “It is not necessary because the users have restricted rights.” Many of our users have access to confidential and sensitive data and I remain concerned. I really appreciate any assistance that you can provide on this issue. Thank you for your help.

Regards,
L.P
Anonymous University

A: I am going to let our readers answer this interesting question. Readers – what do you say?

Share
  • http://blog.elgura.com Gura

    Any remote execution code vulnerability is a threath although the user is a standard or administrator account, but it isn’t same if these malicious code is executed under standard user privileges or under administrator privileges. If a malicious code is executed under user account it can’t damage the system (NTFS, correct ACL, etc), for example, but can intercept/interact the user session, stole passwords, etc. The risk is lower if the account is a normal user, but the risk exists.

    Sorry by my bad english.

  • http://web.comlab.ox.ac.uk/oucl/work/toby.murray/ Toby

    This depends on the threats you are trying to guard against.

    If the users are restricted to the point where they can’t perform any action that you are trying to guard against, then (modulo flaws in the OS, e.g. privilege escalation etc.) its highly likely that neither will an attacker be able to perform any action you’re trying to guard against once they’ve exploited one of the user’s applications.

    Of course, your users probably can perform actions that you are trying to guard against. If they have access to senstiive information, then there’s nothing stopping them from copying this data to a flash drive, for instance. Likewise, there’s nothing stopping an exploited application from sending this data out over the net and auctioning it off on eBay to the highest bidder. (Or deleting/encrypting the data and extorting your company for cash in order to get the data back etc. etc.)

    Hence, having users running in resricted accounts is no excuse for not patching.

    (The solution here is to alter the OS/shell so that applications launched by the user do not automatically inherit all of the user’s abilities but instaed only the subset they need to perform their current function. In this case, you might be able to make a stronger argument for not patching. Google “principle of least authority” if the previous sentences sounded strange.)

  • XenoMuta

    That’s ridiculous and mediocre thinking. I think that your IT support team should be fired ASAP or be awarded a IT Insecurity Nobel Prize. The fact that an attacker has a unprivileged user doesn’t mean your system’s security hasn’t being not flawed.

    Do you really think bot-nets have achieved their goal because of their access level on flawed machines?

    Ask spam bots and key-loggers if they really need administrator privilege to do their job.

    If a doctor kills a patient out of negligence, his license would be revoked. I think we all should do the same with these “sysadmins”.

  • Jason

    This sounds like laziness on the part of the admins to me.

    If they want to play that game, they need to evaluate each vulnerability and patch that comes out and determine if an unprivileged user is vulnerable.

    If an attack includes privilege escalation, then it would need to be patched.

    If an attack was a simple denial-of-service, then it would need to be patched.

    If an attack takes over the security context of an application that could be running in a higher privilege level, then it would need to be patched.

    If an attack can be used to access arbitrary system information (such as documents), then it would need to be patched.

    I’m sure they have a lab and adequate time to test the various scenarios, right?

  • Juice

    My agency’s red team has never failed to gain root, and has never started with anything more than user level. Every OS has privelege escalation exploits available, so limited user access is a layer, not the whole defense.

  • Just Guess

    Restricted users can get infected with malware, malware are smart enough to use vulnerabilities that will allow them to escalate the privileges of the users by exploiting Windows kernel vulnerabilities that went un patched, or even in the case of QuickTime exploit vulnerabilities in the services that QuickTime uses (which run at higher privileges) to gain stronger foot-hold into the operating system where the restricted user is currently running upon.

  • Kasa

    It’s ridiculous. Even working with restrict privileges the user is still vulnerable to MITM, Malwares and Phishing Attacks. Besides that, as everyone knows, it’s enough privilege to bots, spammers, keyloggers and to escalate more privileges. Keep the environment up-to-date is the first line security for defense in deph.
    Least privilege is very important for the Need-to-Know, Segregation of Duty, Avoid Misuse and to maintain the standard installation in the company (wallpaper, screensaver, local administrators, template, baseline and applications).

  • vinicius

    If the user visits a website and gets exploited, malware will be installled with his low privileges. This is sufficient for malware getting into a botnet and be able to DDoS others (dropping you Internet connection) and have access to your network.

    As you ask this question, by the “understanding” of your staff, possibly your network is not segmented (that is servers and desktops are in the same zone), and this could lead to compromise of your servers (although this is not botnet’s main focus, it could be possible).

  • Sl@cker

    No, there is no need to patch your systems if users have a sound restircted rights access policy implamentation.

    It’s not like anyone has ever figured out a way to elevate current user credentials or execute code with system or root priviledges even though they didn’t have those levels of access..right ???? ;)

    Patch, patch, patch !

    ;)

  • bhagat

    If the user visits a website and gets exploited, malware will be installled with his low privileges. This is sufficient for malware getting into a botnet and be able to DDoS others (dropping you Internet connection) and have access to your network.

    As you ask this question, by the “understanding” of your staff, possibly your network is not segmented (that is servers and desktops are in the same zone), and this could lead to compromise of your servers (although this is not botnet’s main focus, it could be possible