Overall vulnerabilities across all Microsoft products decreased five percent in 2021, according to the annual BeyondTrust Microsoft Vulnerabilities 2022 report. While some products such as Internet Explorer and Microsoft Edge saw a surge in the overall number of vulnerabilities, the lowest ever number of Microsoft vulnerabilities were considered critical.
This trend also held true for Windows, Windows Server, Microsoft Office, Azure Cloud and Dynamics365, Microsoft’s ERP solution.
To create the Microsoft Vulnerabilities report, the authors reviewed every Microsoft security bulletin from the previous year to provide a barometer of the threat landscape for the Microsoft ecosystem.
SEE: Windows, Linux and Mac commands everyone needs to know (free PDF) (TechRepublic)
The number of vulnerabilities across other categories, such as memory corruption, overflow and cross-site scripting, dropped significantly across all Microsoft products between 2020 to 2021 as well.
For the second year in a row, elevation of privilege outpaced remote code execution as the security category with the most vulnerabilities recorded.
“As we dig into the data this year, we can see the continuing downward trend in critical vulnerabilities,” said James Maude, lead cyber security researcher at BeyondTrust, a privilege management and cloud security vendor. “Put simply, this investment has made it significantly harder for an attacker to leap from a browser vulnerability to total control of the system in one move.”
Vulnerabilities across Microsoft products
Internet Explorer and Edge vulnerabilities
In 2021, there were a record-breaking 349 Internet Explorer and Edge vulnerabilities, almost four times the number in 2020 though only six were considered critical.
This sudden increase was due to the consolidation of the browser market (with Edge having adopted Google’s Chrome browser technology), fewer browser plugins such as Adobe Flash to attack, and improved transparency in vulnerability reporting by Google, the report said.
Windows vulnerabilities
In 2020 there were 507 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1 and Windows 10 operating systems. Sixty of the Windows 10 operating system vulnerabilities were considered critical. Overall, Windows vulnerabilities dropped 40% compared to 2020 and 50% over the past five years.
“Microsoft’s more aggressive stance on updating Windows is also translating into a reduction in the amount of time systems are exposed to the risk of vulnerabilities,” the report said. “This two-punch combo of fewer vulnerabilities and faster patching comes as welcome progress after the relentless pressures of 2020.”
Microsoft Office vulnerabilities
Of the 66 Office vulnerabilities reported, only one was considered critical. While this is good news, Office applications are still vulnerable to older exploits, such as the Equation Editor bug, even though patches have been available for years.
“Many malware toolkits contain numerous Office exploits aggregated from the past 10 years, with the goal of finding an unpatched system,” the report said.” “These toolkits and strategies have proven highly successful for many threat actors.”
Windows Server vulnerabilities
Windows Server vulnerabilities have dropped to their lowest levels since 2018, the report said. Year over year, the number of Windows Server vulnerabilities decreased by 41%, while critical vulnerabilities dropped by 50% compared to 2020.
“It has taken Microsoft multiple generations of Windows Server to get to a version inherently more secure,” the report said. “The latest releases of Windows Server have fewer vulnerabilities than ever before, despite being some of the largest code bases for any operating system.”
Azure and Dynamics 365 vulnerabilities
Of the 30 vulnerabilities in Azure, only five were considered critical. Dynamics 365 had six critical vulnerabilities in 2020.
The report called out three vulnerabilities as particularly problematic:
- Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28480 and CVE-2021-28481)
- Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-34473, CVE-2021-26894, CVE-2021-26895 and CVE-2021-26897)
- Microsoft Defender for IoT Remote Code Execution Vulnerability (CVE-2021-42311 and CVE-2021-4231)
