Elevation of Privilege is the top vulnerability category for the third year running, accounting for 55% of all Microsoft vulnerabilities in 2022
BeyondTrust releases the 2023 Microsoft Vulnerabilities Report. This report is the 10th anniversary edition and covers a decade of vulnerability insights, providing valuable information to help organizations see into the past, present, and future of the Microsoft vulnerability landscape. Produced annually by BeyondTrust, The Microsoft Vulnerabilities Report analyzes data from security bulletins publicly issued by Microsoft throughout the previous year.
Comprehensive report breaks down CVE and key shifts
This report dissects the 2022 Microsoft vulnerabilities data, highlighting key shifts and trends since the inaugural report. The report spotlights some of the most significant CVEs of 2022, and breaks down how they are exploited by attackers and ways they can be prevented or mitigated.
Microsoft groups product vulnerabilities into the following categories: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Tampering, Information Disclosure, Denial of Service, and Spoofing. Once again, Elevation of Privilege was the leading vulnerability category in 2022.
Highlights and key findings:
In 2022, total Microsoft vulnerabilities rose to 1,292, hitting an all-time high since the report began 10 years ago. It’s not just the number of vulnerabilities that should be of concern, but also the unique threat and impact posed by individual vulnerabilities.
- Elevation of Privilege is the #1 vulnerability category for the third year running, accounting for 55% (715) of the total Microsoft vulnerabilities in 2022.
- Microsoft Azure and Dynamics 365 generate the biggest financial gains for Microsoft, as well as the biggest gain in number of vulnerabilities.
- In 2022, 6.9% of Microsoft’s vulnerabilities were rated as ‘critical,’ while in 2013, 44% of all Microsoft vulnerabilities were classified as ‘critical.’
- Azure and Dynamics 365 vulnerabilities skyrocketed by 159%, from 44 in 2021 to 114 in 2022.
- Microsoft Edge experienced 311 vulnerabilities last year, but none were critical.
- There were 513 Windows Vulnerabilities, 49 of which were critical.
- Microsoft Office experienced a five-year low of just 36 vulnerabilities.
- Windows Server vulnerabilities rose slightly to552.
Within the report, a panel of some of the world’s leading cybersecurity experts weigh in on the report findings. They provide insights as we look forward to how the next decade in cyber threats, vulnerabilities, and defenses may unfold.
“Microsoft has a high volume of vulnerabilities that we have seen increase over the last 10 years of our research,” said James Maude, Lead Security Researcher at BeyondTrust. “This report outlines many of the risks, and highlights the importance of timely patching alongside the removal of excessive administrative rights to mitigate the risks.”
The past 10 years have seen the number of Microsoft vulnerabilities increase across all categories, with Elevation of Privilege vulnerabilities climbing 650%. Over that time, new Microsoft products have driven the overall increase in vulnerabilities, with Azure and Dynamics 365 vulnerabilities climbing by 159%–largely due to one product, Azure Site Recovery Suite—this past year alone.
If there’s one beacon of light shining across the past 10 years of vulnerabilities, it’s the fact that the fundamental ways to mitigate those risks have remained constant for well over a decade. Least privilege enforcement has proven to be just as relevant to the cloud systems and IoT devices of today as it did to the legacy systems, some of which are still operational. Protecting endpoints with products like BeyondTrust’s Endpoint Privilege Management solutions can enable organizations to quickly achieve least privilege, while striking the right balance between security and productivity.