Microsoft Vulnerabilities Double in the Past Six Years

Research revealed the number of reported Microsoft vulnerabilities more than doubled since 2013 with 700 coming in 2018, representing a 110% increase in reported vulnerabilities over the last six years.

Those are some of the findings from Atlanta-based privileged access management firm BeyondTrust’s “Microsoft Vulnerabilities Report 2019.” The research provided the latest insight into security vulnerabilities facing organizations today, as well as a five-year trends analysis to better equip organizations to increase their IT security posture and keep networks and systems safe.

This year’s report identified the following highlights:

• Microsoft vulnerabilities continued to rise in 2018, with a total of 700 vulnerabilities discovered. This represented a 110% increase in the overall number of reported vulnerabilities over 6 years (2013-2018).
• The number of vulnerabilities ranked as “Critical” by Microsoft are up 29% over 6 years.
• Remote code execution vulnerabilities account for the largest proportion of total Microsoft vulnerabilities through 2018, with 292 RCE vulnerabilities reported, and 178 considered critical (61%).
• In 2018, there were 499 reported vulnerabilities across Windows Vista, Windows 7, Windows RT, Windows 8/8.1, and Windows 10 operating systems, 169 considered critical (34%).
• Despite being the newest browser, Microsoft’s Edge browser has nearly triple the number of critical vulnerabilities reported (112), compared to Internet Explorer (39). Critical vulnerabilities in Microsoft Edge have increased six-fold since its inception two years ago.
• Vulnerabilities in Microsoft Office continue to rise year-over-year, with a 121% increase over 6 years.
• Windows server vulnerabilities represent a significant percentage of the total number of vulnerabilities reported, reporting 449 in 2018, 136 of those Critical (30%).

Further analysis indicated 154 (81%) out of the 189 critical vulnerabilities discovered were preventable with the removal of administrator rights.

BeyondTrust explained the Microsoft vulnerabilities report analyzed the data from security bulletins issued by Microsoft throughout 2018. On the second Tuesday of every month, commonly referred to as “Patch Tuesday,” Microsoft releases fixes for any vulnerabilities affecting Microsoft products. “This report compiled these releases into a year-long overview, providing a more holistic view of whether vulnerabilities are increasing, and how many Microsoft vulnerabilities could be mitigated if admin rights were secured across from organizations.”

“The rate at which vulnerabilities are increasing is a significant concern for organizations committed to protecting their networks from data breaches,” Morey Haber, chief technology officer and chief information security officer at BeyondTrust, said. “While organizations need to continue to focus on the security basics, the ability to remove admin rights and control applications is no longer difficult to achieve, and least privilege should be considered as part of a proactive security strategy.”

The report also pointed out while eliminating admin rights can greatly improve security around Microsoft products and reduce the risks from their vulnerabilities, many IT leaders are concerned with how to balance access restrictions with maintaining a positive user experience.

Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. “Privilege itself refers to the authorization to bypass certain security restraints.” The Beyond Trust report explained applied to people, least privilege, sometimes called the principle of least privilege, means enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform their role. “However, least privilege also applies to processes, applications, systems, and devices (such as IoT), in that each should have only those permissions required to perform an authorized activity. The tension between security and productivity is often the barrier that prevents organizations from removing local admin rights from all users.”

“To address this challenge, modern endpoint privilege management solutions can be deployed to dynamically exert granular control over access to applications, tasks and scripts in a way that makes this balance seamless and the security invisible to the end user,” the report noted.