According to a new report from identity management and security vendor BeyondTrust, the total number of Microsoft vulnerabilities reported in 2021 fell by 5%, reversing a five-year trend in which such vulnerabilities increased sharply.
A total of 1,212 new vulnerabilities were discovered in 2021, but their severity, as well as their position in the Microsoft family of software products, has changed significantly over the years. Weaknesses rated as “critical” in the CVSS standard dropped 47% last year, reaching their lowest level since BeyondTrust began issuing this report nine years ago.
Weakness of Windows, Windows server drop
Total vulnerabilities have been identified in both Windows and Windows Server, by 40% and 50%, respectively, while vulnerabilities affecting Microsoft’s Edge and Internet Explorer browsers have reached record highs.
Recent analysis is supported by Microsoft’s move on NIST’s general vulnerability scoring system, which allows researchers to more directly address cross-reference security flaws with external ecosystem bugs.
The most common type of vulnerability seen in 2021 involves the height of privilege, where an attacker illegally gains administrative power over a system. In 2021, a total of 588 such vulnerabilities were discovered. Researchers at BeyondTrust attribute this emergence to a broader adherence to good security practices – distorted, a general decline in users with unnecessary admin privileges, helping to focus the efforts of bad actors in pursuing higher privileges in a different way.
Attackers invent to gain admin rights
“Without easy access to users with local administrator rights, attackers have begun to innovate to gain improved access that could then be used to compromise the system, steal certificates and subsequently remove them,” the report said.
The second-most common type of vulnerability centered on remote code execution, which is particularly dangerous because attacks targeting such errors can be managed remotely, require little or no user interaction. A total of 326 of these vulnerabilities were found in 2021, of which 35 rated 9.0 or higher on the CVSS scale.
“With such risks, an effective exploitation is not a matter of ‘an exploitation exists’, but of ‘when it will be publicly available,'” the Beyond Trusts report said.
The report also highlights vulnerabilities in key Microsoft products, including Azure, Windows and Microsoft Office. The latter saw only one serious weakness compared to the total 66 found in 2021, while the same numbers for Azure and Dynamics 365 were seven and 44, respectively.
Researchers at BeyondTrust have praised Microsoft’s continued efforts to keep Azure secure and a “steady reduction” in office vulnerabilities. Similarly, the Windows operating system itself has seen a 40% reduction in total vulnerabilities in 2021 compared to the previous year, with a 50% reduction in serious security flaws.
Copyright © 2022 IDG Communications, Inc.