A security analysis of Windows 10 has shown that the software has more vulnerabilities than any other operating system, and that it has nearly 50% more than Windows 8 and 8.1. The report, commissioned by security company Avecto, found particular fault with Microsoft’s two internet browsers – Internet Explorer and Edge – and found that 100% of vulnerabilities in both could be mitigated by merely removing admin rights.
The report – led by Mark Austin, co-founder and co-CEO at Avecto, and Marco Peretti, Chief Technology Officer – found that:
- In total, 530 Microsoft vulnerabilities were reported in 2016, with 36% (189) given a critical severity rating. Of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year.
- Despite being Microsoft’s newest and ‘most secure’ operating system, Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto’s report found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
- 100% of vulnerabilities impacting Internet Explorer could be mitigated by removing admin rights, including 100% of the vulnerabilities affecting the latest browser, Edge.
- Microsoft Office products were the subject of 79 vulnerabilities, up from 62 last year. This represents a 295% increase in Office vulnerabilities since 2014. Of the 79 vulnerabilities impacting Office, 17 were classed as Critical, meaning that all businesses using the software were potentially vulnerable to attack.
“Both Marco and I have a shared belief that the key to achieving effective endpoint security is to get the foundations right,” Austin said. “In the 20 years or so that Marco and I have been working in this industry, organizations are still neglecting the basics and skipping straight to the latest ‘next gen’ solution.”
“Privilege management and application control should be the cornerstone of your endpoint security strategy, building up from there to create ever stronger, multiple layers of defense,” he explained. “These measures can have a dramatic impact on your ability to mitigate todays attacks. Times have changed; removing admin rights and controlling applications is no longer difficult to achieve.”
“As a team, Avecto is collectively drawing on years of experience and knowledge to further invest in the capabilities of our Defendpoint software, which uniquely marries together privilege management, application control and content isolation in one solution,” Peretti added. “It’s our belief that privileged escalation attacks can be a thing of the past, not only on Windows machines, but also on Macs. Technology like Defendpoint makes that possible, but we need the wider community to sit up and take notice.”
Who the hell is Avecto, and why should I believe them? Seems rather extreme, and not in agreement with others. Is there an agenda here perhaps?
This is a belated response, but Avecto is apparently using data from the NIST’s National Vulnerability Database (aka the “NVD”) to state this, and the NVD is really the only serious game in town in terms of determining vulnerable or secure software. If you’re good at navigating cryptic forms, you can verify this yourself here:
https://web.nvd.nist.gov/view/vuln/search-advanced
Just set the vender, product and date to get the total number vulnerabilities (aka “CVEs”) for Windows 10, and then click “Search” for the results. Then run it again for any other still supported version, especially Windows 7, for comparison. If you are only interested in the number of the most severe vulnerabilities, also set the “Severity Score Range” to “Critical (9-10).”
Try a quick read
https://en.wikipedia.org/wiki/Misuse_of_statistics
I’ll see your disengenuous, irrelevant link and raise you something more appropriate to your way of thinking: https://en.wikipedia.org/wiki/Denialism
Basically a report by a company to promote their own application. So what you have published as news is actually an advert for software aimed at the corporate market.
A piece of software which looks to me to be trying to do what is already built into active directory, antivirus and antimalware software. I don’t know of any company who’s AD administrators and Security teams who would let standard users have admin rights on a regular basis