The whole variety of Microsoft vulnerabilities reported in 2021 dropped by 5%, reversing a five-year development that noticed such vulnerabilities rising sharply, in accordance with a brand new report from identification administration and safety vendor BeyondTrust.
A complete of 1,212 new vulnerabilities have been found in 2021, however their severity, in addition to their location within the Microsoft household of software program merchandise, has modified considerably 12 months over 12 months. Vulnerabilities rated as “vital” on the CVSS normal dropped by 47% prior to now 12 months, reaching their lowest ranges since BeyondTrust started issuing this report, 9 years in the past.
Vulnerabilities on Home windows, Home windows Server drop
Home windows and Home windows Server each noticed sharp drops in complete vulnerabilities detected, by 40% and 50%, respectively, whereas vulnerabilities affecting Microsoft’s Edge and Web Explorer browsers hit a report excessive.
Helping within the newest evaluation is Microsoft’s transfer to NIST’s frequent vulnerability scoring system, which lets researchers cross-reference safety flaws extra straight with bugs within the outdoors ecosystem.
The commonest kind of vulnerability seen in 2021 concerned privilege elevation, the place an attacker features admin rights to a system by way of illicit means. A complete of 588 such vulnerabilities have been found in 2021. BeyondTrust’s researchers credit score a extra widespread adherence to good safety practices for this rise — perversely, a common lower in customers with pointless admin privileges helped focus unhealthy actors’ efforts on makes an attempt to realize elevated privileges in numerous methods.
Attackers innovate to realize admin rights
“With out easy accessibility to customers with native admin rights, attackers have began to innovate to realize elevated privileges that may then be used to compromise techniques, steal credentials, and transfer laterally,” the report stated.
The second-most frequent kind of vulnerability centered on distant code execution, which is especially harmful since assaults concentrating on such flaws will be carried out remotely, with little or no person interplay required. A complete of 326 of those vulnerabilities have been present in 2021, 35 of which rated a 9.0 or increased on the CVSS scale.
“With this sort of threat, a workable exploit isn’t a matter of ‘does an exploit exist,’ however moderately ‘when will it’s publicly accessible,'” stated the BeyondTrust report.
The report additionally broke out vulnerabilities in key Microsoft merchandise, together with Azure, Home windows and Microsoft Workplace. The latter noticed only one vital vulnerability, in comparison with a complete of 66 present in 2021, whereas the identical numbers for Azure and Dynamics 365 have been seven and 44, respectively.
BeyondTrust’s researchers praised Microsoft’s constant efforts to maintain Azure protected, and lauded a “regular decline” in Workplace vulnerabilities. Equally, the Home windows working system itself noticed a 40% drop in complete vulnerabilities in 2021 in comparison with the earlier 12 months, with a 50% drop in vital safety flaws.
Copyright © 2022 IDG Communications, Inc.
