Solely 104 crucial vulnerabilities had been reported in 2021, an all-time low for the world’s largest software program firm.
Total vulnerabilities throughout all Microsoft merchandise decreased 5 p.c in 2021, in line with the annual BeyondTrust Microsoft Vulnerabilities 2022 report. Whereas some merchandise similar to Web Explorer and Microsoft Edge noticed a surge within the general variety of vulnerabilities, the bottom ever variety of Microsoft vulnerabilities had been thought of crucial.
This development additionally held true for Home windows, Home windows Server, Microsoft Workplace, Azure Cloud and Dynamics365, Microsoft’s ERP answer.
To create the Microsoft Vulnerabilities report, the authors reviewed each Microsoft safety bulletin from the earlier yr to supply a barometer of the risk panorama for the Microsoft ecosystem.
SEE: Home windows, Linux and Mac instructions everybody must know (free PDF) (TechRepublic)
The variety of vulnerabilities throughout different classes, similar to reminiscence corruption, overflow and cross-site scripting, dropped considerably throughout all Microsoft merchandise between 2020 to 2021 as properly.
For the second yr in a row, elevation of privilege outpaced distant code execution because the safety class with essentially the most vulnerabilities recorded.
“As we dig into the information this yr, we will see the persevering with downward development in crucial vulnerabilities,” stated James Maude, lead cyber safety researcher at BeyondTrust, a privilege administration and cloud safety vendor. “Put merely, this funding has made it considerably more durable for an attacker to leap from a browser vulnerability to whole management of the system in a single transfer.”
Vulnerabilities throughout Microsoft merchandise
Web Explorer and Edge vulnerabilities
In 2021, there have been a record-breaking 349 Web Explorer and Edge vulnerabilities, nearly 4 occasions the quantity in 2020 although solely six had been thought of crucial.
This sudden enhance was as a result of consolidation of the browser market (with Edge having adopted Google’s Chrome browser know-how), fewer browser plugins similar to Adobe Flash to assault, and improved transparency in vulnerability reporting by Google, the report stated.
Home windows vulnerabilities
In 2020 there have been 507 vulnerabilities throughout Home windows 7, Home windows RT, Home windows 8/8.1 and Home windows 10 working techniques. Sixty of the Home windows 10 working system vulnerabilities had been thought of crucial. Total, Home windows vulnerabilities dropped 40% in comparison with 2020 and 50% over the previous 5 years.
“Microsoft’s extra aggressive stance on updating Home windows can be translating into a discount within the period of time techniques are uncovered to the chance of vulnerabilities,” the report stated. “This two-punch combo of fewer vulnerabilities and quicker patching comes as welcome progress after the relentless pressures of 2020.”
Microsoft Workplace vulnerabilities
Of the 66 Workplace vulnerabilities reported, just one was thought of crucial. Whereas that is excellent news, Workplace purposes are nonetheless weak to older exploits, such because the Equation Editor bug, although patches have been out there for years.
“Many malware toolkits include quite a few Workplace exploits aggregated from the previous 10 years, with the aim of discovering an unpatched system,” the report stated.” “These toolkits and methods have confirmed extremely profitable for a lot of risk actors.”
Home windows Server vulnerabilities
Home windows Server vulnerabilities have dropped to their lowest ranges since 2018, the report stated. 12 months over yr, the variety of Home windows Server vulnerabilities decreased by 41%, whereas crucial vulnerabilities dropped by 50% in comparison with 2020.
“It has taken Microsoft a number of generations of Home windows Server to get to a model inherently safer,” the report stated. “The most recent releases of Home windows Server have fewer vulnerabilities than ever earlier than, regardless of being a number of the largest code bases for any working system.”
Azure and Dynamics 365 vulnerabilities
Of the 30 vulnerabilities in Azure, solely 5 had been thought of crucial. Dynamics 365 had six crucial vulnerabilities in 2020.
The report known as out three vulnerabilities as notably problematic:
- Microsoft Change Server Distant Code Execution Vulnerability (CVE-2021-28480 and CVE-2021-28481)
- Home windows DNS Server Distant Code Execution Vulnerability (CVE-2021-34473, CVE-2021-26894, CVE-2021-26895 and CVE-2021-26897)
- Microsoft Defender for IoT Distant Code Execution Vulnerability (CVE-2021-42311 and CVE-2021-4231)
