2021 saw a 47% decrease in Critical Microsoft vulnerabilities, marking the lowest ever total since the report began
BeyondTrust, the 2022 Microsoft Vulnerabilities announced the release of the 2022 Microsoft Vulnerabilities Report.
The research includes the latest annual breakdown of Microsoft vulnerabilities by category and product, as well as a six-year trend analysis, providing a holistic understanding of the evolving threat landscape. Produced annually by BeyondTrust, and now in its ninth edition, The Microsoft Vulnerabilities Report analyzes data from security bulletins publicly issued by Microsoft throughout the previous year.
Microsoft groups vulnerabilities that apply to one or more of their products into the following main categories: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Tampering, Information Disclosure, Denial of Service, and Spoofing. The findings in this year’s report will help organizations better understand and address risks within the Microsoft ecosystem.
Here are some key highlights from this year’s report:
- For the second year running, Elevation of Privilege was the #1 vulnerability category, accounting for 49% of all vulnerabilities in 2021
- Of the 326 remote code execution vulnerabilities reported in 2021, 35 had a CVSS score of 9.0 or higher
- Most of the high-impact vulnerabilities detailed in the report highlight the risks of on-premises technology, indicating that a shift to the cloud can improve an organization’s security
- Vulnerabilities in IE and Edge in 2021 were at a record high of 349, roughly 4x higher than in 2020
It is critical that organizations continue to carefully manage administrative privilege use to protect against vulnerabilities in Microsoft’s software, said Russell Smith, Editorial Director, Petri IT Knowledgebase. “I’ve always been a strong advocate for limiting access to admin rights. But despite the importance of running with standard user privileges for protecting systems and data, it is still not possible to natively manage in Windows today. Organizations need to manage privileged access on endpoints in a flexible and secure way that reduces risks to the business while allowing employees to do their work.”
“Microsoft’s move to the Common Vulnerability Scoring System (CVSS), now makes it easier for vulnerabilities to be cross-referenced with third-party applications that leverage affected services,” said Morey Haber, Chief Security Officer at BeyondTrust. “However, this is a trade-off because of the loss of visibility to determine the impact of administrative rights on critical vulnerabilities. What is clear, is the continued risk of excessive privileges. With the growing risk of privileged attack vectors caused by cloud deployments, the removal of admin rights remains a critical step to reduce an organization’s risk surface. This can be achieved by adopting a least privilege strategy and enabling zero-trust architectures throughout an environment.”
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting a vulnerability’s severity level, from 0 to 10. It’s important to consider that, when scoring vulnerabilities, organizations should not rely exclusively on the vendors’ CVSS Base Score to prioritize risk and remediation plans. End users should apply custom environment metrics to translate the risk to their own organizations. Guidance for this calculation can be found on NIST’s website.
With the consistently high volume of Microsoft vulnerabilities, ensuring endpoints are secured is more critical than ever. The removal of administrative rights is essential for mitigating many of the risks outlined in this report. BeyondTrust Endpoint Privilege Management enables organizations to achieve least privilege with a solution that not only deploys quickly, but also strikes the right balance between security and productivity.
The 2022 Microsoft Vulnerabilities Report can be downloaded here: https://www.beyondtrust.com/resources/whitepapers/microsoft-vulnerability-report