Elevation of privilege was the top vulnerability category, accounting for 49 percent of all vulnerabilities for the second consecutive year, according to BeyondTrust’s latest Microsoft Vulnerabilities Report.
The report revealed that of the 326 remote code execution vulnerabilities reported in 2021, 35 had a CVSS score of 9.0 or higher. In addition, vulnerabilities in Internet Explorer and Microsoft Edge in 2021 were at a record high of 349, roughly 4x higher than in 2020.
Most of the high-impact vulnerabilities detailed in the report highlight the risks of on-premises technology, indicating that a shift to the cloud can improve an organisation’s security.
“Microsoft’s move to the Common Vulnerability Scoring System (CVSS), now makes it easier for vulnerabilities to be cross-referenced with third-party applications that leverage affected services,” said Morey Haber, Chief Security Officer at BeyondTrust.
“However, this is a trade-off because of the loss of visibility to determine the impact of administrative rights on critical vulnerabilities. What is clear, is the continued risk of excessive privileges. With the growing risk of privileged attack vectors caused by cloud deployments, the removal of admin rights remains a critical step to reduce an organisation’s risk surface. This can be achieved by adopting a least privilege strategy and enabling zero-trust architectures throughout an environment.”
According to BeyondTrust, the consistently high volume of Microsoft vulnerabilities means that ensuring endpoints are secured is more critical than ever. It also highlighted that the removal of administrative rights is essential for mitigating many of the risks outlined in the report.
