The total number of reported Microsoft vulnerabilities in 2021 fell 5%, reversing a five-year trend in which such vulnerabilities rose sharply, according to a new report from identity management and security vendor BeyondTrust.
A total of 2021 new vulnerabilities were discovered in 1212, but their severity, as well as their location in Microsoft's family of software products, has changed significantly year over year. Vulnerabilities rated “critical” by CVSS have fallen 47% over the past year, reaching their lowest levels since BeyondTrust began publishing this report nine years ago.
Windows vulnerabilities, Windows Server crash
Both Windows and Windows Server saw sharp declines in the total number of vulnerabilities detected, by 40% and 50%, respectively, while vulnerabilities affecting the Microsoft Edge and Internet Explorer browsers hit an all-time high.
Aiding the latest analysis is Microsoft's switch to the NIST Common Vulnerability Scoring System, which allows researchers to cross-reference security flaws more directly with bugs in the external ecosystem.
The most common type of vulnerability seen in 2021 involved elevation of privilege, where an attacker gains administrator rights on a system through illicit means. In 2021, a total of 588 such vulnerabilities were discovered. BeyondTrust researchers attribute the increase to a more widespread adherence to security best practices; perversely, a general decline in the number of users with unnecessary admin privileges has helped focus bad actors' efforts on attempts to gain elevated privileges in a variety of ways.
Attackers innovate to gain administrator rights
“Without easy access to users with local administrator rights, attackers have begun to innovate to gain elevated privileges which can then be used to compromise systems, steal credentials, and move laterally,” the report says. relationship.
The second most common type of vulnerability focuses on remote code execution, which is particularly dangerous because attacks targeting such flaws can be carried out remotely, with little or no user interaction. A total of 2021 such vulnerabilities were discovered in 326, 35 of which scored 9,0 or higher on the CVSS scale.
"With this type of risk, an exploitable exploit is not a question of 'an exploit exists,' but rather 'when it will be publicly available,'" the BeyondTrust report said.
The report also revealed vulnerabilities in key Microsoft products, including Azure, Windows, and Microsoft Office. The latter saw just one critical vulnerability, compared to a total of 66 found in 2021, while the same figures for Azure and Dynamics 365 were seven and 44, respectively.
BeyondTrust researchers praised Microsoft's continued efforts to keep Azure secure and hailed a "steady decline" in Office vulnerabilities. Additionally, the Windows operating system itself saw a 40% drop in total vulnerabilities in 2021 compared to the previous year, with a 50% drop in critical security vulnerabilities.
Copyright © 2022 IDG Communications, Inc.