Last year saw a significant decrease in “critical” security flaws in Microsoft software and a drop in overall vulnerabilities, according to a report released Friday by security firm BeyondTrust.
The firm’s “Microsoft Vulnerabilities Report” takes a look at the total number of security bulletins issued in a year to provide a snapshot of Microsoft’s security landscape. The latest report found that the total number of Microsoft flaws (1,212 bulletins) fell 5 percent and that critical flaws saw a year-over-year decrease of 47 percent in 2021 — the largest decline BeyondTrust has seen since issuing this report.
“As we dig into this year’s data, we can see the continued downward trend in critical vulnerabilities,” said James Maude, principal cybersecurity researcher at BeyondTrust. “Simply put, this investment has made it significantly more difficult for an attacker to go from a browser vulnerability to full system control in one move.”
While the overall amount of security flaws decreased, there was an uptick in elevation-of-privilege issues. Last year saw 588 reported flaws, compared to 2020’s 559. Further, security feature bypass saw a slight uptick to 44 flaws in 2021, compared to 30 from the previous year.
Here’s the full breakdown of Microsoft’s vulnerability category totals for 2021:
- Remote Code Execution: 326
- Elevation of Privilege: 588
- Information Disclosure: 129
- Denial of Service: 55
- Spoofing: 66
- Tampering: 3
- Security Feature Bypass: 44
The predominance of remote code execution flaws is not surprising, as Microsoft continues to tighten security across other categories. “As organizations better adhere to security best practices and remove admin rights from users, attackers seek new ways to gain privileges,” read the report. “Without easy access to users with local admin rights, attackers have started to innovate to gain elevated privileges that can then be used to compromise systems, steal credentials, and move laterally.”
This year’s report was good news for Windows OS users. Critical vulnerabilities dropped to 507 — a decrease from 2020’s 907 — and the number of critical flaws were cut in half. In fact, the 57 total critical flaws were the lowest number for the OS. “The halving of Critical Windows vulnerabilities over the past five years is a positive development and reflects how the continued investment in building a more secure operating system is paying off for Microsoft and for Windows users,” read the report.
It wasn’t all good news for Microsoft’s year in security, though. Vulnerabilities targeting the now-defunct Internet Explorer and the company’s current Web browser, Edge, increased almost four times to a total of 349 flaws. While the total had increased, those flaws labeled critical only accounted for six flaws – an all-time low.
A couple of factors play into this increase. Since Edge is based on Google’s Chromium, and with the retirement of Internet Explorer, attackers are setting their sights on Chrome and Edge at a higher rate. Factor in Google’s aggressive and lucrative bounty program for spotting flaws in Chromium, and it makes financial sense for security experts to find flaws in Google’s code, hence the increase in found vulnerabilities.
While the overall Microsoft security picture is increasing, there still can be improvement, and that much of the burden falls onto IT. Timely patching is key, but is not the only measure to securing organizations’ Microsoft environments. With the continued growth of elevation-of-privilege flaws, it’s important to monitor who has access to what.
“With that said, based off our understanding of the Microsoft landscape and previous trends, we estimate removing admin rights and enforcing least privilege remains pivotal to addressing vulnerabilities and reducing the attack surface,” read the report.