As critical Microsoft software vulnerabilities decline, attackers will need to chain together less severe exploits to achieve code execution, elevate system privilege levels, and move around victim networks. Credit: Microsoft / lVcandy / Aleksei Derin / Getty Images While the total number of recorded Microsoft vulnerabilities was higher in 2022 than ever before, the number of critical vulnerabilities declined to its lowest point, according to the latest Microsoft Vulnerability Report by BeyondTrust, released Tuesday.In 2022, only 6.9% of Microsoft’s vulnerabilities were rated as critical — less than half the number of critical vulnerabilities recorded in 2020. In 2013, 44% of all Microsoft vulnerabilities were classified as critical.Vulnerabilities categorized as critical are those with characteristics that make their exploitation a potentially high-impact security event. “This trend indicates that, while overall vulnerabilities have increased in number, the risks and worst-case scenarios associated with these individual vulnerabilities have decreased from previous years,” BeyondTrust said. It also shows that while the overall Microsoft attack surface is expanding along with the expansion of Microsoft’s business, the organization is doing a better job at minimizing the most dangerous types of development errors.Attackers may chain multiple, less severe attacksAs critical vulnerabilities decline, attackers may need to chain less severe exploits together to achieve code execution, elevate their system privileges, and move around victim networks, BeyondTrust said in the 10th edition of its report. The chaining technique, however, provides security teams with more potential points through which they can detect, intercept, and mitigate a breach.“If an attacker needs to chain three or more vulnerabilities together to reach their objective, then you just need to have mitigated or patched one of them to break the chain,” BeyondTrust said.Successful exploits against Microsoft systems will also require a higher level of attacker skill, which could reduce the number of possible adversaries. In 2022, Microsoft identified 715 elevation-of-privilege vulnerabilities, a 22% increase over 2021, and a 689% increase from 2017. It’s a crucial data point: The objective of an attacker is to get their code to run, and they want it to be able to run with enough privileges to allow a successful attack.“To achieve this objective, attackers need to have remote code execution, the ability to launch their code on a target system, and elevation of privilege to make sure this code runs with enough privilege,” BeyondTrust said.Office vulnerabilities declineThe Microsoft Office products category experienced a 45% drop in vulnerabilities in 2022, though critical vulnerabilities in the software suite increased from a low of one in 2021 to two instances in 2022. “While there is an overarching downward trend in the number of Microsoft Office vulnerabilities, Office applications have remained a successful target for threat actors. This is largely due to the lag times between discovery and patching,” BeyondTrust said. The downward trend in vulnerability can also be attributed to Microsoft’s efforts to cut off common attack vectors, such as VBA macros in documents, that have been delivered from the internet. This is a common attack vector, but previous mitigation attempts have merely been soft blocks that are easily circumvented by socially engineering the end user into enabling macros. In 2022, Microsoft blocked internet macros by default in Office applications.ChatGPT could bring new vulnerabilitiesMicrosoft has been investing heavily in ChatGPT developer OpenAI since 2019 and has plans to integrate AI into several of its products. ChatGPT is already being incorporated into the Microsoft search engine, Bing, with the hope of finally making it a stronger search competitor to Google. However, the extensive use of AI could introduce new kinds of vulnerabilities as well, BeyondTrust warns. “AI learns from often vast data sets and fundamentally expands the entities that can be used to exploit a system,” BeyondTrust said.Al systems can be vulnerable to manipulation and exploitation by malicious actors, who could use Al to carry out cyberattacks or gain unauthorized access to sensitive information.“As the technology landscape continues its next phase of evolution, vulnerability numbers should continue to climb, new threats will continue to crawl out from the cyber-ether,” BeyondTrust said. Related content brandpost Sponsored by PwC Improved incident response planning is a business necessity Today’s dynamic threat landscape and complex digital environments necessitate a modern, proactive approach to incident response. By Elliot Markowitz Apr 19, 2024 4 mins Security news analysis Windows path conversion weirdness enables unprivileged rootkit behavior MagicDot technique allows attackers to capitalize on an already-patched vulnerability simply by changing the dots in a path. By Lucian Constantin Apr 19, 2024 5 mins Windows Security Threat and Vulnerability Management Vulnerabilities brandpost Sponsored by Palo Alto Networks Rethinking work dynamics: Why consumer browsers are no longer enough What sets enterprise browsers apart? They are designed from the ground up as a security product with productivity in mind. Learn more today. By Ofer Ben-Noon, SASE CTO, Palo Alto Networks Apr 19, 2024 4 mins Cloud Security news Ransomware feared in Octapharma Plasma’s US-wide shutdown The disruption has impacted more than 150 plasma centers in the US, with possible effects on European operations. By Shweta Sharma Apr 19, 2024 3 mins Ransomware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe